This update fixes possible arbitrary code execution when converting Git repos. Mercurial prior to 3.8 allowed arbitrary code execution when using the convert extension on Git repos with hostile names. This could affect automated code conversion services that allow arbitrary repository names. This is a further side-effect of Git CVE-2015-7545. Reported and fixed by Blake Burkhart. This has been fixed in mercurial-3.8.1-1 i586/x86_64 Cauldron but not in mga5 which has mercurial-3.1.1-5.1 in updates
URL: (none) => https://access.redhat.com/security/cve/CVE-2016-3105CVE: (none) => CVE-2016-3105
(In reply to Nic Baxter from comment #0) > This update fixes possible arbitrary code execution when converting Git > repos. Mercurial prior to 3.8 allowed arbitrary code execution when using > the convert extension on Git repos with hostile names. This could affect > automated code conversion services that allow arbitrary repository names. > This is a further side-effect of Git CVE-2015-7545. Reported and fixed by > Blake Burkhart. > > This has been fixed in mercurial-3.8.1-1 i586/x86_64 Cauldron but not in > mga5 which has mercurial-3.1.1-5.1 in updates Assigning to Mercurial maintainer
CC: (none) => marja11Assignee: bugsquad => makowski.mageiaSummary: mercurial: code execution => mercurial: code execution (CVE-2016-3105)
I put here the link to Debian page about this CVE : https://security-tracker.debian.org/tracker/CVE-2016-3105
And the patch in Mercurial upstream repo https://selenic.com/hg/rev/a56296f55a5e
My real question here is should the patched version be pushed mga5?
Updated packages uploaded for Mageia 5 Advisory: ======================== Updated mercurial packages fix security vulnerabilities: This update fixes possible arbitrary code execution when converting Git repos. Mercurial prior to 3.8 allowed arbitrary code execution when using the convert extension on Git repos with hostile names. This could affect automated code conversion services that allow arbitrary repository names. This is a further side-effect of Git CVE-2015-7545. Reported and fixed by Blake Burkhart. References: - https://access.redhat.com/security/cve/CVE-2016-3105 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3105 - https://selenic.com/hg/rev/a56296f55a5e Updated packages in core/updates_testing: ======================== mercurial-3.1.1-5.2.mga5.x86_64 mercurial-3.1.1-5.2.mga5.i586 from mercurial-3.1.1-5.2.mga5.src.rpm
Assignee: makowski.mageia => qa-bugs
URL: https://access.redhat.com/security/cve/CVE-2016-3105 => http://lwn.net/Vulnerabilities/686084/Summary: mercurial: code execution (CVE-2016-3105) => mercurial new code execution security issue (CVE-2016-3105)
Source RPM: (none) => mercurial
Procedure: https://bugs.mageia.org/show_bug.cgi?id=15590#c4
Whiteboard: (none) => has_procedure
x86_64 Shall test this with Olivier's procedure.
CC: (none) => tarazed25
Created a local repository and then cloned it on another node on the LAN. Added a file and ran commit after editing the config file to name a user. Checked out a few of the commands in the help list. Updated to mercurial-3.1.1-5.2.mga5. Removed the old repositories and worked through the testing procedure again and did the same on another machine. On the other machine cloned the my-hello branch from the main test machine. $ hg version Mercurial Distributed SCM (version 3.1.1) $ hg clone ssh://lcl@belexeuli/tmp/repo/my-hello my-hello <password> requesting all changes adding changesets ....... $ hg clone my-hello my-hello-share updating to branch default 2 files updated, 0 files merged, 0 files removed, 0 files unresolved $ cd my-hello-share $ hg -q tip 1:82e55d328c8c $ cd my-hello-new-output $ edit hello.c [1] 18727 $ hg st M hello.c $ hg diff diff -r 82e55d328c8c hello.c --- a/hello.c Fri Aug 26 01:21:28 2005 -0700 +++ b/hello.c Thu May 12 15:16:26 2016 +0100 @@ -12,5 +12,6 @@ int main(int argc, char **argv) { printf("hello, world!\n"); + printf( "This one is easy but time consuming\n" ); return 0; } $ hg revert hello.c [lcl@belexeuli my-hello-new-output]$ hg st ? hello.c.orig $ mv hello.c.orig hello.c $ hg st M hello.c // 'check in' editor $ hg ci Having a grumble HG: Enter commit message. Lines beginning with 'HG:' are removed. HG: Leave message empty to abort commit. HG: HG: user: Len Lawrence <tarazed25@gmail.com> HG: branch 'default' HG: changed hello.c $ hg par changeset: 2:df085f900c01 tag: tip user: Len Lawrence <tarazed25@gmail.com> date: Thu May 12 15:28:40 2016 +0100 summary: Having a grumble $ cd ../my-hello-share $ hg pull ../my-hello-new-output pulling from ../my-hello-new-output searching for changes adding changesets adding manifests adding file changes added 1 changesets with 1 changes to 1 files (run 'hg update' to get a working copy) $ hg up 1 files updated, 0 files merged, 0 files removed, 0 files unresolved $ hg pull ../my-hello-new-output pulling from ../my-hello-new-output searching for changes no changes found $ hg push ../my-hello-new-output pushing to ../my-hello-new-output searching for changes no changes found // Now export the changeset $ hg export tip # HG changeset patch # User Len Lawrence <tarazed25@gmail.com> # Date 1463063320 -3600 # Thu May 12 15:28:40 2016 +0100 # Node ID df085f900c01d643d6cf205507869d6bcec6dcf2 # Parent 82e55d328c8ca4ee16520036c0aaace03a5beb65 Having a grumble diff -r 82e55d328c8c -r df085f900c01 hello.c --- a/hello.c Fri Aug 26 01:21:28 2005 -0700 +++ b/hello.c Thu May 12 15:28:40 2016 +0100 @@ -12,5 +12,6 @@ int main(int argc, char **argv) { printf("hello, world!\n"); + printf( "This one is easy but time consuming\n" ); return 0; } I reckon this is enough for validation. Everything works as expected.
Whiteboard: has_procedure => has_procedure MGA5-64-OK
If it is important to test this for i586 I can load it into my vbox and clone a repository from a 64-bit machine on the LAN. It will have to wait though.
We'll validate most things with one arch tested Len, to keep updates moving. Ones which we need to be more cautious with are hardware related or anything low level and intrinsic to the system eg. rpm.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
CC: (none) => davidwhodginsWhiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0172.html
Status: NEW => RESOLVEDResolution: (none) => FIXED