| Summary: | mercurial new security issue CVE-2017-17458 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, herman.viaene, marja11, python, shlomif, sysadmin-bugs |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA5TOO MGA5-32-OK MGA6-64-OK | ||
| Source RPM: | mercurial-4.3.1-1.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2017-12-11 13:17:50 CET
David Walser
2017-12-11 13:17:59 CET
Whiteboard:
(none) =>
MGA6TOO, MGA5TOO CC'ing Shlomi and the PHP maintainers, because I'm not sure Philippem is available again. CC:
(none) =>
marja11, php, shlomif (In reply to Marja van Waes from comment #1) > CC'ing Shlomi and the PHP maintainers, because I'm not sure Philippem is > available again. Sorry, s/PHP/Python/ CC:
php =>
python Presumably fixed in Cauldron by upgrading to mercurial 4.4.2. I see the mga5 EOL is in 20 days. Can we just upgrade mercurial there too? I don't expect any major breakages. Version:
Cauldron =>
6 It's probably not worth making a major upgrade for it for Mageia 5, if we can't backport the patch. I haven't looked through the commits to see if I could find the right one or to see how hard it would be to backport. openSUSE has issued an advisory for this today (December 18): https://lists.opensuse.org/opensuse-updates/2017-12/msg00071.html They have a patch for 3.x (in Leap 42.2). Advisory: ======================== Updated mercurial package fixes security vulnerability: A specially malformed repository may have caused Git subrepositories to run arbitrary code (CVE-2017-17458). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17458 https://lists.opensuse.org/opensuse-updates/2017-12/msg00071.html ======================== Updated packages in core/updates_testing: ======================== mercurial-3.1.1-5.6.mga5 mercurial-4.1.3-1.2.mga6 from SRPMS: mercurial-3.1.1-5.6.mga5.src.rpm mercurial-4.1.3-1.2.mga6.src.rpm Assignee:
makowski.mageia =>
qa-bugs To test normally. MGA5-32 on Dell Latitude D600 Xfce No installation issues Ref to bug 21502 Comment 2 $ hg config --edit set username hg clone https://bitbucket.org/jthlim/pvrtccompressor warning: bitbucket.org certificate with fingerprint 3f:d3:c5:17:23:3c:cd:f5:2d:17:76:06:93:7e:ee:97:42:21:14:aa not verified (check hostfingerprints or web.cacerts config setting) destination directory: pvrtccompressor requesting all changes adding changesets adding manifests adding file changes added 19 changesets with 74 changes to 28 files updating to branch default 27 files updated, 0 files merged, 0 files removed, 0 files unresolved $ cd pvrtccompressor remove 3 comment lines from file Bitscale.cpp $ hg diff diff -r cf7177748ee0 BitScale.cpp --- a/BitScale.cpp Thu Jan 08 18:37:52 2015 +0800 +++ b/BitScale.cpp Sat Dec 30 16:42:12 2017 +0100 @@ -1,8 +1,6 @@ #include "BitScale.h" -#ifdef _WIN32 -#define constexpr const -#endif + constexpr uint8_t Javelin::Data::BITSCALE_5_TO_8[32] = { 0, 8, 16, 24, 32, 41, 49, 57, 65, 74, $ hg commit -m 'Who cares about Windows anyway?' $ hg log | head -n 5 changeset: 19:5c4ea8252fcb tag: tip user: tester date: Sat Dec 30 16:46:27 2017 +0100 summary: Who cares about Windows anyway? Looks all OK to me. Whiteboard:
MGA5TOO =>
MGA5TOO MGA5-32-OK
Dave Hodgins
2018-01-01 07:55:32 CET
Keywords:
(none) =>
advisory Thanks for the test procedure Herman. Same test on Mageia 6 x86_64. Validating the update. Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0041.html Resolution:
(none) =>
FIXED |