Bug 25291 - mercurial new security issue CVE-2019-3902
Summary: mercurial new security issue CVE-2019-3902
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6TOO MGA7-64-OK
Keywords:
Depends on:
Blocks:
 
Reported: 2019-08-12 02:06 CEST by David Walser
Modified: 2019-08-15 12:10 CEST (History)
2 users (show)

See Also:
Source RPM: mercurial-4.7.2-1.mga7.src.rpm
CVE:
Status comment: Fixed upstream in 4.9


Attachments

Description David Walser 2019-08-12 02:06:15 CEST
Ubuntu has issued an advisory on August 6:
https://usn.ubuntu.com/4086-1/

The issue is fixed upstream in 4.9.

Mageia 6 and Mageia 7 are also affected.
David Walser 2019-08-12 02:06:27 CEST

Status comment: (none) => Fixed upstream in 4.9
Whiteboard: (none) => MGA7TOO, MGA6TOO

Comment 1 David Walser 2019-08-12 15:38:43 CEST
Shlomi, I see you updated Mageia 7 to 4.9.1.  Cauldron still has 4.7.2, and Mageia 6 also needs an update.

mercurial-4.9.1-1.mga7
Comment 2 Shlomi Fish 2019-08-12 21:01:17 CEST
(In reply to David Walser from comment #1)
> Shlomi, I see you updated Mageia 7 to 4.9.1.  Cauldron still has 4.7.2, and
> Mageia 6 also needs an update.
> 
> mercurial-4.9.1-1.mga7

Cauldron is now on hg 5.1.
Comment 3 David Walser 2019-08-12 21:35:30 CEST
(In reply to Shlomi Fish from comment #2)
> (In reply to David Walser from comment #1)
> > Shlomi, I see you updated Mageia 7 to 4.9.1.  Cauldron still has 4.7.2, and
> > Mageia 6 also needs an update.
> > 
> > mercurial-4.9.1-1.mga7
> 
> Cauldron is now on hg 5.1.

Are you sure it actually built?  Sophie sees a SRPM for 5.1 but only sees 4.7.2 for binary RPMS.

(note to self, Shlomi updated Mageia 6: mercurial-4.9.1-1.mga6 )
Comment 4 David Walser 2019-08-12 21:36:21 CEST
Oh I see 5.1 on pkgsubmit.  Sophie is slow.  Thanks.

Whiteboard: MGA7TOO, MGA6TOO => MGA6TOO
Version: Cauldron => 7

Comment 5 David Walser 2019-08-12 21:41:15 CEST
Advisory:
========================

Updated mercurial package fixes security vulnerability:

It was discovered that Mercurial mishandled symlinks in subrepositories. An
attacker could use this vulnerability to write arbitrary files to the target’s
filesystem (CVE-2019-3902).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3902
https://usn.ubuntu.com/4086-1/
========================

Updated packages in core/updates_testing:
========================
mercurial-4.9.1-1.mga6
mercurial-4.9.1-1.mga7

from SRPMS:
mercurial-4.9.1-1.mga6.src.rpm
mercurial-4.9.1-1.mga7.src.rpm

CC: (none) => shlomif
Assignee: shlomif => qa-bugs

Comment 6 PC LX 2019-08-15 12:10:24 CEST
Installed and tested without issues.

Tested on several existing and new, remote and local repositories.
Tests included init, clone, pull, push, status, verify, add, commit, summary, etc.

System: Mageia 7, x86_64, Intel CPU.

$ uname -a
Linux marte 5.1.20-desktop-2.mga7 #1 SMP Fri Jul 26 23:04:19 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q mercurial
mercurial-4.9.1-1.mga7

CC: (none) => mageia
Whiteboard: MGA6TOO => MGA6TOO MGA7-64-OK


Note You need to log in before you can comment on or make changes to this bug.