Bug 22895 - mercurial new security issues CVE-2018-1000132 and CVE-2018-1334[6-8]
Summary: mercurial new security issues CVE-2018-1000132 and CVE-2018-1334[6-8]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA6-64-OK MGA5-32-OK MGA5-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-04-11 23:58 CEST by David Walser
Modified: 2018-08-31 23:13 CEST (History)
6 users (show)

See Also:
Source RPM: mercurial-4.4.2-1.mga7.src.rpm
CVE:
Status comment: Fixed upstream in 4.6.1


Attachments

Description David Walser 2018-04-11 23:58:11 CEST
openSUSE has issued an advisory today (April 11):
https://lists.opensuse.org/opensuse-updates/2018-04/msg00021.html

The issue was fixed upstream in 4.5.2:
https://www.mercurial-scm.org/wiki/WhatsNew

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-04-11 23:58:17 CEST

Whiteboard: (none) => MGA6TOO

David Walser 2018-05-04 08:29:43 CEST

Status comment: (none) => Fixed upstream in 4.5.2

Comment 1 David Walser 2018-07-19 15:58:02 CEST
Mercurial 4.6.1, released on June 6, fixes three new security issues.

4.6.2 is the newest bugfix release.

SUSE has issued an advisory for this today (July 19):
http://lists.suse.com/pipermail/sle-security-updates/2018-July/004284.html

Summary: mercurial new security issue CVE-2018-1000132 => mercurial new security issues CVE-2018-1000132 and CVE-2018-1334[6-8]
Status comment: Fixed upstream in 4.5.2 => Fixed upstream in 4.6.1

Comment 2 David Walser 2018-07-20 18:44:39 CEST
openSUSE has issued an advisory for the new issues today (July 20):
https://lists.opensuse.org/opensuse-updates/2018-07/msg00057.html
Comment 3 Philippe Makowski 2018-08-25 12:19:03 CEST
Cauldron, 5 and 6 updated to mercurial-4.6.2-1

CC: (none) => makowski.mageia

Comment 4 David Walser 2018-08-26 21:20:50 CEST
Advisory to come later.  Package list below.

mercurial-4.6.2-1.mga5
mercurial-4.6.2-1.mga6

from SRPMS:
mercurial-4.6.2-1.mga5.src.rpm
mercurial-4.6.2-1.mga6.src.rpm

Whiteboard: MGA6TOO => MGA5TOO
Version: Cauldron => 6
Assignee: python => qa-bugs

Comment 5 Len Lawrence 2018-08-27 14:09:22 CEST
Mageia 6, x86_64

CVE-2018-1334{6,7,8}
Reading posts on the backtrail indicates that there are no known exploits yet and that the software is still being analysed.

The package updated cleanly.

Tutorial: https://www.mercurial-scm.org/wiki/QuickStart

$ hg version
Mercurial Distributed SCM (version 4.6.2)
Created project directory
$ mkdir qa/hg
$ cd qa/hg
$ hg init
$ ls -a .hg
./  ../  00changelog.i  requires  store/

Clone a public repository.  This takes a few minutes.
$ hg clone http://selenic.com/hg mercurial-repo
real URL is https://www.mercurial-scm.org/repo/hg/
requesting all changes
adding changesets
adding manifests                                                                
adding file changes                                                             
added 39229 changesets with 73900 changes to 3096 files (+1 heads)              
new changesets 9117c6561b0b:66f046116105
updating to bookmark @
1741 files updated, 0 files merged, 0 files removed, 0 files unresolved         
$ ls
00changelog.i  mercurial-repo/  requires  store/
$ cd mercurial-repo
$ ls
contrib/      COPYING  hgdemandimport/  hgext3rd/   Makefile    rust/
CONTRIBUTING  doc/     hgeditor*        hgweb.cgi*  mercurial/  setup.py
CONTRIBUTORS  hg*      hgext/           i18n/       README.rst  tests/
$ du -hs
102M	.

mercurial-repo has its own .ignore file.  Made a backup of that and overwrote the original with the .ignore file from the tutorial.  Then:
$ hg sum
parent: 39228:66f046116105 tip
 cext: fix truncation warnings in revlog on Windows
branch: default
bookmarks: *@
commit: 1 modified
update: (current)

I guess that is OK.

$ hg add
Does not find any ignored files.
$ hg parents
changeset:   39228:66f046116105
bookmark:    @
tag:         tip
user:        Matt Harbison <matt_harbison@yahoo.com>
date:        Tue Aug 21 21:05:15 2018 -0400
summary:     cext: fix truncation warnings in revlog on Windows

$ hg help
Mercurial Distributed SCM
list of commands:
 add           add the specified files on the next commit
 addremove     add all new files, delete all missing files
[...]

Things start to get a bit complicated after that so leaving it there.
Further help at https://www.mercurial-scm.org/wiki/BeginnersGuides
Highly recommended for people who might want to use it as a development environment.  The notion to hold on to is that mercurial lacks anything like a central repository - it is completely decentralized which gives user freedom to define the shape of their system.

As far as I can see the updated system works for 64-bits.

CC: (none) => tarazed25
Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK

Comment 6 Len Lawrence 2018-08-27 17:41:53 CEST
Poked this a bit more.
Created a valid repository on another machine on the LAN.
Starting from ~/qa/hg on the user's machine:
$ hg init
$ hg clone ssh://lcl@vega/repo paddb
Password: 
requesting all changes
adding changesets
adding manifests
adding file changes
added 1 changesets with 93 changes to 93 files
new changesets 45acdf9785db
updating to branch default
93 files updated, 0 files merged, 0 files removed, 0 files unresolved
[lcl@difda hg]$ ls -a
./  ../  .hg/  paddb/
$ cd paddb
$ ls paddb
addresses              gui.rb*           paddb.current*    selectfont
addresses.bak          gui.rb~*          paddb.rb*         setup.rb*
addresses.rb           imagefactory.rb*  paddb.rb~*        setup-safe.rb*
[...]

$ cd paddb
$ purge
rm: cannot remove '*%': No such file or directory
rm: cannot remove '.*%': No such file or directory
rm: cannot remove '%*': No such file or directory
rm: cannot remove '.*%*': No such file or directory
rm: remove regular file 'gui.rb~'? y
rm: remove regular file 'newpatterns.rb~'? y
rm: remove regular file 'paddb.rb~'? y
rm: remove regular file 'paddbsetup.rb~'? y
rm: remove regular file 'postscript.rb~'? y
rm: cannot remove '.*~': No such file or directory
$ hg commit
nothing changed (5 missing files, see 'hg status')

That is consistent.

$ hg log
changeset:   0:45acdf9785db
tag:         tip
user:        Len Lawrence <email address>
date:        Mon Aug 27 16:06:43 2018 +0100
summary:     Initial version of paddb

The verbose version (-v) gives you a full list of the files in the repository and --debug supplies a little more.
Comment 7 Herman Viaene 2018-08-28 14:26:37 CEST
MGA5-32 on Dell Latitude D600 Xfce
No installation issues overwriting a previous version.
at CLI:
$ hg config --edit
could edit username <emailaddress>
but 
hg clone https://bitbucket.org/jthlim/pvrtccompressor
as per bug 22171 Comment 8 or
$ hg clone http://selenic.com/hg
as per Comment 5 above
both give ssl certificate verify failed

David Walser (on private e-mail) told me to OK MGA-5 updates on clean install, so I don't intend to investigate this ssl issue.

CC: (none) => herman.viaene
Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA5-32-OK

Comment 8 Thomas Andrews 2018-08-29 03:27:23 CEST
MGA5-64 KDE4 on real hardware, Athlon X2 7750, 8GB RAM, nvidia340 graphics, Atheros wifi.

I did not have this package installed, so this was not an update, but an install. Package installed cleanly. I did not go farther than that, but because of what David Walser told Herman Viane, I am giving this a MGA5 OK.

CC: (none) => andrewsfarm
Whiteboard: MGA5TOO MGA6-64-OK MGA5-32-OK => MGA5TOO MGA6-64-OK MGA5-32-OK MGA5-64-OK

Comment 9 Thomas Andrews 2018-08-29 03:29:41 CEST
Validating, on the basis of one MGA6 OK and two MGA5 OKs.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 10 Thomas Backlund 2018-08-31 19:32:10 CEST
advisory, added to svn:


type: security
subject: Updated mercurial packages fix security vulnerabilities
CVE:
 - CVE-2018-13346
 - CVE-2018-13347
 - CVE-2018-13348
 - CVE-2018-1000132
src:
  5:
   core:
     - mercurial-4.6.2-1.mga5
  6:
   core:
     - mercurial-4.6.2-1.mga5
description: |
  This update provides mercurial version 4.6.2 and fixes the following
  security issues:
 
  Fix the mpatch_apply function in mpatch.c that incorrectly proceeds in
  cases where the fragment start is past the end of the original data
  (CVE-2018-13346).

  Fix mpatch.c that mishandles integer addition and subtraction
  (CVE-2018-13347).

  Fix the mpatch_decode function in mpatch.c that mishandles certain
  situations where there should be at least 12 bytes remaining after
  the current position in the patch data (CVE-2018-13348).

  Remote attackers may bypass HTTP server permissions via batch wire
  protocol commands(CVE-2018-1000132).
references:
 - https://bugs.mageia.org/show_bug.cgi?id=22895
 - https://lists.opensuse.org/opensuse-updates/2018-04/msg00021.html
 - https://lists.opensuse.org/opensuse-updates/2018-07/msg00057.html

CC: (none) => tmb
Keywords: (none) => advisory

Comment 11 Mageia Robot 2018-08-31 23:13:05 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0355.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.