Bug 22895 - mercurial new security issues CVE-2018-1000132 and CVE-2018-1334[6-8]
Summary: mercurial new security issues CVE-2018-1000132 and CVE-2018-1334[6-8]
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA5TOO MGA6-64-OK MGA5-32-OK MGA5-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2018-04-11 23:58 CEST by David Walser
Modified: 2018-08-31 23:13 CEST (History)
6 users (show)

See Also:
Source RPM: mercurial-4.4.2-1.mga7.src.rpm
Status comment: Fixed upstream in 4.6.1


Description David Walser 2018-04-11 23:58:11 CEST
openSUSE has issued an advisory today (April 11):

The issue was fixed upstream in 4.5.2:

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-04-11 23:58:17 CEST

Whiteboard: (none) => MGA6TOO

David Walser 2018-05-04 08:29:43 CEST

Status comment: (none) => Fixed upstream in 4.5.2

Comment 1 David Walser 2018-07-19 15:58:02 CEST
Mercurial 4.6.1, released on June 6, fixes three new security issues.

4.6.2 is the newest bugfix release.

SUSE has issued an advisory for this today (July 19):

Summary: mercurial new security issue CVE-2018-1000132 => mercurial new security issues CVE-2018-1000132 and CVE-2018-1334[6-8]
Status comment: Fixed upstream in 4.5.2 => Fixed upstream in 4.6.1

Comment 2 David Walser 2018-07-20 18:44:39 CEST
openSUSE has issued an advisory for the new issues today (July 20):
Comment 3 Philippe Makowski 2018-08-25 12:19:03 CEST
Cauldron, 5 and 6 updated to mercurial-4.6.2-1

CC: (none) => makowski.mageia

Comment 4 David Walser 2018-08-26 21:20:50 CEST
Advisory to come later.  Package list below.


from SRPMS:

Whiteboard: MGA6TOO => MGA5TOO
Version: Cauldron => 6
Assignee: python => qa-bugs

Comment 5 Len Lawrence 2018-08-27 14:09:22 CEST
Mageia 6, x86_64

Reading posts on the backtrail indicates that there are no known exploits yet and that the software is still being analysed.

The package updated cleanly.

Tutorial: https://www.mercurial-scm.org/wiki/QuickStart

$ hg version
Mercurial Distributed SCM (version 4.6.2)
Created project directory
$ mkdir qa/hg
$ cd qa/hg
$ hg init
$ ls -a .hg
./  ../  00changelog.i  requires  store/

Clone a public repository.  This takes a few minutes.
$ hg clone http://selenic.com/hg mercurial-repo
real URL is https://www.mercurial-scm.org/repo/hg/
requesting all changes
adding changesets
adding manifests                                                                
adding file changes                                                             
added 39229 changesets with 73900 changes to 3096 files (+1 heads)              
new changesets 9117c6561b0b:66f046116105
updating to bookmark @
1741 files updated, 0 files merged, 0 files removed, 0 files unresolved         
$ ls
00changelog.i  mercurial-repo/  requires  store/
$ cd mercurial-repo
$ ls
contrib/      COPYING  hgdemandimport/  hgext3rd/   Makefile    rust/
CONTRIBUTING  doc/     hgeditor*        hgweb.cgi*  mercurial/  setup.py
CONTRIBUTORS  hg*      hgext/           i18n/       README.rst  tests/
$ du -hs
102M	.

mercurial-repo has its own .ignore file.  Made a backup of that and overwrote the original with the .ignore file from the tutorial.  Then:
$ hg sum
parent: 39228:66f046116105 tip
 cext: fix truncation warnings in revlog on Windows
branch: default
bookmarks: *@
commit: 1 modified
update: (current)

I guess that is OK.

$ hg add
Does not find any ignored files.
$ hg parents
changeset:   39228:66f046116105
bookmark:    @
tag:         tip
user:        Matt Harbison <matt_harbison@yahoo.com>
date:        Tue Aug 21 21:05:15 2018 -0400
summary:     cext: fix truncation warnings in revlog on Windows

$ hg help
Mercurial Distributed SCM
list of commands:
 add           add the specified files on the next commit
 addremove     add all new files, delete all missing files

Things start to get a bit complicated after that so leaving it there.
Further help at https://www.mercurial-scm.org/wiki/BeginnersGuides
Highly recommended for people who might want to use it as a development environment.  The notion to hold on to is that mercurial lacks anything like a central repository - it is completely decentralized which gives user freedom to define the shape of their system.

As far as I can see the updated system works for 64-bits.

CC: (none) => tarazed25
Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK

Comment 6 Len Lawrence 2018-08-27 17:41:53 CEST
Poked this a bit more.
Created a valid repository on another machine on the LAN.
Starting from ~/qa/hg on the user's machine:
$ hg init
$ hg clone ssh://lcl@vega/repo paddb
requesting all changes
adding changesets
adding manifests
adding file changes
added 1 changesets with 93 changes to 93 files
new changesets 45acdf9785db
updating to branch default
93 files updated, 0 files merged, 0 files removed, 0 files unresolved
[lcl@difda hg]$ ls -a
./  ../  .hg/  paddb/
$ cd paddb
$ ls paddb
addresses              gui.rb*           paddb.current*    selectfont
addresses.bak          gui.rb~*          paddb.rb*         setup.rb*
addresses.rb           imagefactory.rb*  paddb.rb~*        setup-safe.rb*

$ cd paddb
$ purge
rm: cannot remove '*%': No such file or directory
rm: cannot remove '.*%': No such file or directory
rm: cannot remove '%*': No such file or directory
rm: cannot remove '.*%*': No such file or directory
rm: remove regular file 'gui.rb~'? y
rm: remove regular file 'newpatterns.rb~'? y
rm: remove regular file 'paddb.rb~'? y
rm: remove regular file 'paddbsetup.rb~'? y
rm: remove regular file 'postscript.rb~'? y
rm: cannot remove '.*~': No such file or directory
$ hg commit
nothing changed (5 missing files, see 'hg status')

That is consistent.

$ hg log
changeset:   0:45acdf9785db
tag:         tip
user:        Len Lawrence <email address>
date:        Mon Aug 27 16:06:43 2018 +0100
summary:     Initial version of paddb

The verbose version (-v) gives you a full list of the files in the repository and --debug supplies a little more.
Comment 7 Herman Viaene 2018-08-28 14:26:37 CEST
MGA5-32 on Dell Latitude D600 Xfce
No installation issues overwriting a previous version.
at CLI:
$ hg config --edit
could edit username <emailaddress>
hg clone https://bitbucket.org/jthlim/pvrtccompressor
as per bug 22171 Comment 8 or
$ hg clone http://selenic.com/hg
as per Comment 5 above
both give ssl certificate verify failed

David Walser (on private e-mail) told me to OK MGA-5 updates on clean install, so I don't intend to investigate this ssl issue.

CC: (none) => herman.viaene
Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA5-32-OK

Comment 8 Thomas Andrews 2018-08-29 03:27:23 CEST
MGA5-64 KDE4 on real hardware, Athlon X2 7750, 8GB RAM, nvidia340 graphics, Atheros wifi.

I did not have this package installed, so this was not an update, but an install. Package installed cleanly. I did not go farther than that, but because of what David Walser told Herman Viane, I am giving this a MGA5 OK.

CC: (none) => andrewsfarm
Whiteboard: MGA5TOO MGA6-64-OK MGA5-32-OK => MGA5TOO MGA6-64-OK MGA5-32-OK MGA5-64-OK

Comment 9 Thomas Andrews 2018-08-29 03:29:41 CEST
Validating, on the basis of one MGA6 OK and two MGA5 OKs.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 10 Thomas Backlund 2018-08-31 19:32:10 CEST
advisory, added to svn:

type: security
subject: Updated mercurial packages fix security vulnerabilities
 - CVE-2018-13346
 - CVE-2018-13347
 - CVE-2018-13348
 - CVE-2018-1000132
     - mercurial-4.6.2-1.mga5
     - mercurial-4.6.2-1.mga5
description: |
  This update provides mercurial version 4.6.2 and fixes the following
  security issues:
  Fix the mpatch_apply function in mpatch.c that incorrectly proceeds in
  cases where the fragment start is past the end of the original data

  Fix mpatch.c that mishandles integer addition and subtraction

  Fix the mpatch_decode function in mpatch.c that mishandles certain
  situations where there should be at least 12 bytes remaining after
  the current position in the patch data (CVE-2018-13348).

  Remote attackers may bypass HTTP server permissions via batch wire
  protocol commands(CVE-2018-1000132).
 - https://bugs.mageia.org/show_bug.cgi?id=22895
 - https://lists.opensuse.org/opensuse-updates/2018-04/msg00021.html
 - https://lists.opensuse.org/opensuse-updates/2018-07/msg00057.html

CC: (none) => tmb
Keywords: (none) => advisory

Comment 11 Mageia Robot 2018-08-31 23:13:05 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.