Bug 21502

Summary: mercurial new security issues CVE-2017-1000115 and CVE-2017-1000116
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: makowski.mageia, sysadmin-bugs
Version: 6Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: advisory has_procedure MGA6-64-OK
Source RPM: mercurial-4.1.3-1.mga6.src.rpm CVE: CVE-2017-1000115 CVE-2017-1000116
Status comment:
Bug Depends on:    
Bug Blocks: 21510    

Description David Walser 2017-08-12 00:26:22 CEST 
Mercurial has released version 4.3 on August 10, fixing two security issues:
https://www.mercurial-scm.org/wiki/WhatsNew

There's also a 4.3.1, apparently released today, already in Cauldron.

The announcement was here:
https://www.mercurial-scm.org/pipermail/mercurial/2017-August/050522.html

Mageia 5 is probably also affected.
Comment 1 Philippe Makowski 2017-08-12 19:16:31 CEST 
mercurial-4.1.3-1.1.mga6 is in testing

Suggested advisory:
========================

Updated mercurial packages fix security vulnerabilities:

Mercurial was not sanitizing hostnames passed to ssh, allowing shell injection attacks by specifying a hostname starting with -oProxyCommand.


References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000115
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000116
https://www.mercurial-scm.org/pipermail/mercurial/2017-August/050522.html

Updated packages in core/updates_testing:
========================
mercurial-4.1.3-1.1.mga6
from mercurial-4.1.3-1.1.mga6.src.rpm

Mageia 5 is probably also affected, but it is a very old version with a lot of patch, I didn't find time yet to do the backport.

CVE: (none) => CVE-2017-1000115 CVE-2017-1000116
Assignee: makowski.mageia => qa-bugs

David Walser 2017-08-12 19:51:20 CEST

CC: (none) => makowski.mageia

David Walser 2017-08-12 19:52:23 CEST

Blocks: (none) => 21510

Lewis Smith 2017-08-13 10:33:55 CEST

Whiteboard: (none) => advisory

Comment 2 Rémi Verschelde 2017-08-19 11:32:26 CEST 
Did a quick test on Mageia 6 x86_64 showing that basic functionality works:

$ hg config --edit // set username/email for commits

$ hg clone https://bitbucket.org/jthlim/pvrtccompressor

$ cd pvrtccompressor
$ nano BitScale.cpp // removed some random stuff

$ hg diff
diff -r cf7177748ee0 BitScale.cpp
--- a/BitScale.cpp      Thu Jan 08 18:37:52 2015 +0800
+++ b/BitScale.cpp      Sat Aug 19 11:30:09 2017 +0200
@@ -1,9 +1,5 @@
 #include "BitScale.h"
 
-#ifdef _WIN32
-#define constexpr const
-#endif
-
 constexpr uint8_t Javelin::Data::BITSCALE_5_TO_8[32] = {
  0, 8, 16, 24, 32, 41, 49, 57, 65, 74,
  82, 90, 98, 106, 115, 123, 131, 139, 148, 156,

$ hg commit -m 'Who cares about Windows anyway?'

$ hg log | head -n 5
changeset:   19:3713a9f687fb
tag:         tip
user:        Rémi Verschelde <akien@mageia.org>
date:        Sat Aug 19 11:31:32 2017 +0200
summary:     Who cares about Windows anyway?

Whiteboard: advisory => advisory has_procedure MGA6-64-OK

Comment 3 Rémi Verschelde 2017-08-19 11:32:36 CEST 
Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 4 Mageia Robot 2017-08-19 11:59:16 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0282.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED