Bug 21510

Summary: mercurial new security issues CVE-2017-1000115 and CVE-2017-1000116
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: lewyssmith, mageia, makowski.mageia, qa-bugs, sysadmin-bugs
Version: 5Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5-64-OK
Source RPM: mercurial-3.1.1-5.3.mga5.src.rpm CVE: CVE-2017-1000115 CVE-2017-1000116
Status comment:
Bug Depends on: 21502    
Bug Blocks:    
Attachments: patch from Debian

Description David Walser 2017-08-12 19:52:23 CEST 
+++ This bug was initially created as a clone of Bug #21502 +++

Mercurial has released version 4.3 on August 10, fixing two security issues:
https://www.mercurial-scm.org/wiki/WhatsNew

There's also a 4.3.1, apparently released today, already in Cauldron.

The announcement was here:
https://www.mercurial-scm.org/pipermail/mercurial/2017-August/050522.html

Mageia 5 is probably also affected (especially since cvs, git, and svn were).
Comment 1 David Walser 2017-08-17 13:37:40 CEST 
RedHat has issued an advisory for this today (August 17):
https://access.redhat.com/errata/RHSA-2017:2489

They backported patches to 2.6.2, which may be helpful.
Comment 2 Philippe Makowski 2017-08-19 15:11:45 CEST 
mercurial-3.1.1-5.4.mga5 is in testing

Suggested advisory:
========================

Updated mercurial packages fix security vulnerabilities:

Mercurial was not sanitizing hostnames passed to ssh, allowing shell injection attacks by specifying a hostname starting with -oProxyCommand.


References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000115
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000116
https://www.mercurial-scm.org/pipermail/mercurial/2017-August/050522.html

Updated packages in core/updates_testing:
========================
mercurial-3.1.1-5.4.mga5
from mercurial-3.1.1-5.4.mga5.src.rpm

I hope that the backport is ok, will check with the Debian one when it will be ready

Assignee: makowski.mageia => qa-bugs

Comment 3 PC LX 2017-08-19 19:48:24 CEST 
Installed without issue but it is NOT working. I have tested on several repositories always with the same error below.

$ LANGUAGE=C hg status
** unknown exception encountered, please report by visiting
** http://mercurial.selenic.com/wiki/BugTracker
** Python 2.7.9 (default, Aug 13 2016, 16:52:12) [GCC 4.9.2]
** Mercurial Distributed SCM (version 3.1.1)
** Extensions loaded: 
Traceback (most recent call last):
  File "/usr/bin/hg", line 43, in <module>
    mercurial.dispatch.run()
  File "/usr/lib64/python2.7/site-packages/mercurial/dispatch.py", line 28, in run
    sys.exit((dispatch(request(sys.argv[1:])) or 0) & 255)
  File "/usr/lib64/python2.7/site-packages/mercurial/dispatch.py", line 69, in dispatch
    ret = _runcatch(req)
  File "/usr/lib64/python2.7/site-packages/mercurial/dispatch.py", line 169, in _runcatch
    return _dispatch(req)
  File "/usr/lib64/python2.7/site-packages/mercurial/dispatch.py", line 818, in _dispatch
    repo = hg.repository(ui, path=path)
  File "/usr/lib64/python2.7/site-packages/mercurial/hg.py", line 119, in repository
    peer = _peerorrepo(ui, path, create)
  File "/usr/lib64/python2.7/site-packages/mercurial/hg.py", line 106, in _peerorrepo
    obj = _peerlookup(path).instance(ui, path, create)
  File "/usr/lib64/python2.7/site-packages/mercurial/localrepo.py", line 1782, in instance
    return localrepository(ui, util.urllocalpath(path), create)
  File "/usr/lib64/python2.7/site-packages/mercurial/localrepo.py", line 201, in __init__
    self.nofsauditor = scmutil.pathauditor(self.root, self._checknested,
AttributeError: 'module' object has no attribute 'pathauditor'

CC: (none) => mageia

Comment 4 David Walser 2017-08-19 19:50:05 CEST 
Philippe, please remember to CC yourself when you assign bugs to QA.  See the previous comment.

CC: (none) => makowski.mageia
Whiteboard: (none) => feedback

Comment 5 PC LX 2017-08-19 19:57:26 CEST 
The previous version I had installed and, after a downgrade, have now installed is working correctly, so a diff of the two versions may help pinpoint the problem.

$ rpm -q mercurial 
mercurial-3.1.1-5.3.mga5
Comment 6 Philippe Makowski 2017-08-20 11:43:02 CEST 
(In reply to David Walser from comment #4)
> Philippe, please remember to CC yourself when you assign bugs to QA.  See
> the previous comment.

not really needed, since I receive, and read qa-bugs@ml.mageia.org
Comment 7 Philippe Makowski 2017-08-20 11:53:51 CEST 
(In reply to PC LX from comment #3)
> Installed without issue but it is NOT working. I have tested on several
> repositories always with the same error below.

That's what I was afraid of, the patch is not correct enough, it still need some work unfortunately.

Sorry, and thanks for the report.
David Walser 2017-08-22 18:53:09 CEST

CC: (none) => qa-bugs
Assignee: qa-bugs => makowski.mageia

Comment 8 Philippe Makowski 2017-09-04 13:53:40 CEST 
Created attachment 9653 [details]
patch from Debian

I will try with the Debian patch
Comment 9 Philippe Makowski 2017-09-04 15:15:38 CEST 
mercurial-3.1.1-5.5.mga5 is in testing

Suggested advisory:
========================

Updated mercurial packages fix security vulnerabilities:

Mercurial was not sanitizing hostnames passed to ssh, allowing shell injection attacks by specifying a hostname starting with -oProxyCommand.


References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000115
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000116
https://www.mercurial-scm.org/pipermail/mercurial/2017-August/050522.html

Updated packages in core/updates_testing:
========================
mercurial-3.1.1-5.5.mga5
from mercurial-3.1.1-5.5.mga5.src.rpm

Assignee: makowski.mageia => qa-bugs

Comment 10 PC LX 2017-09-04 16:18:39 CEST 
Installed and tested without issues.

System: Mageia 5, x86_64, Intel CPU.

Tests:
- did some clone/pull/push commands on remote (ssh) repositories;
- did some summary/status/log command on local repositories;
- created a new repository and worked on it a bit;
- verifying all local repositories (see command below).

$ uname -a
Linux marte 4.4.82-desktop-1.mga5 #1 SMP Sun Aug 13 18:03:58 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q mercurial
mercurial-3.1.1-5.5.mga5
$ P="$(pwd)" ; \
  for U in $(find -type d -ipath '*/.hg') ; do \
    cd "$U/../" ; \
    echo "REPO: $(pwd)" ; \
    hg -q verify ; \
    cd "$P" ; \
  done
$ find -type d -ipath '*/.hg' | wc -l
24
$ # all 24 repositories verified OK.

Whiteboard: feedback => feedback MGA5-64-OK

David Walser 2017-09-04 17:29:48 CEST

Whiteboard: feedback MGA5-64-OK => MGA5-64-OK

Comment 11 David Walser 2017-09-04 18:03:10 CEST 
Debian advisory for this from today (September 4):
https://www.debian.org/security/2017/dsa-3963
Comment 12 Lewis Smith 2017-09-06 11:31:05 CEST 
(In reply to PC LX from comment #10)
> Installed and tested without issues.
A formidable test, for which many thanks.
Advisory uploaded from Comment 9. Validating.

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK => MGA5-64-OK advisory
CC: (none) => lewyssmith, sysadmin-bugs

Comment 13 Samuel Verschelde 2017-09-06 15:10:35 CEST 
Moving 'advisory' from whiteboard to keywords now that madb has been updated to handle that keyword.

Keywords: (none) => advisory
Whiteboard: MGA5-64-OK advisory => MGA5-64-OK

Comment 14 Mageia Robot 2017-09-07 11:08:10 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0331.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED