OpenSuSE has issued an advisory on March 27: http://lists.opensuse.org/opensuse-updates/2015-03/msg00085.html The OpenSuSE update fixes the CVE-2014-9462 issue, which corresponds to this entry in the upstream 3.2.4 changelog: "sshpeer: more thorough shell quoting" http://mercurial.selenic.com/wiki/WhatsNew#Mercurial_3.2.4_.282015-01-01.29 As I previously mentioned: https://bugs.mageia.org/show_bug.cgi?id=14849#c2 There was also a fix for CVE-2014-9390 in 3.2.3 (granted it doesn't really affect Linux). Mageia 4 and Mageia 5 are affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
For Mageia4 : From mercurial-2.7.2-3.1.mga4.src mercurial-2.7.2-3.1.mga4.i586 mercurial-2.7.2-3.1.mga4.x86_64 mercurial-debuginfo-2.7.2-3.1.mga4.x86_64 mercurial-debuginfo-2.7.2-3.1.mga4.i586 For Mageia5 freeze push asked for : From mercurial-3.1.1-5.mga5.src mercurial-3.1.1-5.mga5.i586 mercurial-3.1.1-5.mga5.x86_64 mercurial-debuginfo-3.1.1-5.mga5.x86_64 mercurial-debuginfo-3.1.1-5.mga5.i586
Looks like we'll just be fixing CVE-2014-9462 and not CVE-2014-9390. That's OK.
Summary: mercurial new security issue CVE-2014-9390 and CVE-2014-9462 => mercurial new security issue CVE-2014-9462
Patched packages uploaded for Mageia 4 and Cauldron. Package list in Comment 1. Advisory: ======================== Updated mercurial packages fix security vulnerability: The mercurial source code management system suffers from a code-injection flaw due to insufficient shell quoting in sshpeer._validaterepo() (CVE-2014-9462). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9462 http://chargen.matasano.com/chargen/2015/3/17/this-new-vulnerability-mercurial-command-injection-cve-2014-9462.html http://lists.opensuse.org/opensuse-updates/2015-03/msg00085.html
CC: (none) => makowski.mageiaVersion: Cauldron => 4Assignee: makowski.mageia => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => (none)
Testing on Mageia4x64 real hardware, following tutorial found at : http://mercurial.selenic.com/wiki/TutorialInstall I did not find any PoC From current package : --------------------- mercurial-2.7.2-3.mga4 $ hg version Mercurial Distributed SCM (version 2.7.2) (...) In my home directory, $ nano .hgrc [ui] username = olivier_cc <olivier@gmail.com> ssh = ssh -C $ mkdir tmp tmp/repo $ cd tmp/repo/ $ hg init $ ls -a ./ ../ .hg/ $ hg clone http://www.selenic.com/repo/hello my-hello requesting all changes adding changesets adding manifests adding file changes added 2 changesets with 2 changes to 2 files updating to branch default 2 files updated, 0 files merged, 0 files removed, 0 files unresolved $ ls -a my-hello/ ./ ../ hello.c .hg/ Makefile $ rm -rf my-hello/ Verified I could use the clone command over ssh from a repository located on my network : $ hg clone ssh://pi@192.168.0.15/tmp/repo/my-hello my-hello pi@192.168.0.15's password: requesting all changes adding changesets adding manifests adding file changes added 2 changesets with 2 changes to 2 files updating to branch default 2 files updated, 0 files merged, 0 files removed, 0 files unresolved Went on tutorial to test history, making change, commit changeset (hg status, hg diff, hg revert, hg ci, hg par...) All OK Removed ~/tmp To updated testing package : -------------------------- mercurial-2.7.2-3.1.mga4 Reproduced same procedure. All OK
CC: (none) => olchalWhiteboard: (none) => MGA4-64-OK
Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA4-64-OK => has_procedure advisory MGA4-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0129.html
Status: NEW => RESOLVEDResolution: (none) => FIXED