Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 239055 (CVE-2008-4297)

Summary: dev-util/mercurial <1.0.2 hgweb "allowpull" file disclosure (CVE-2008-4297)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: fmccor, nelchael, python
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.selenic.com/mercurial/wiki/index.cgi/WhatsNew#head-905b8adb3420a77d92617e06590055bd8952e02b
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 239537    
Bug Blocks:    
Attachments:
Description Flags
ppc and ppc64 test failures
none
mercurial-1.0.2.ebuild none

Description Robert Buchholz (RETIRED) gentoo-dev 2008-09-29 14:56:08 UTC
CVE-2008-4297 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4297):
  Mercurial before 1.0.2 does not enforce the allowpull permission
  setting for a pull operation from hgweb, which allows remote
  attackers to read arbitrary files from a repository via an "hg pull"
  request.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-09-29 15:04:23 UTC
is 1.0.2 ready for stable?
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-10-03 15:32:24 UTC
Arches, please test and mark stable:
=dev-util/mercurial-1.0.2
Target keywords : "alpha amd64 ia64 ppc ppc64 sparc x86"
Comment 3 Tobias Heinlein (RETIRED) gentoo-dev 2008-10-03 19:31:30 UTC
1.0.2 has dev-python/pygments as a dependency. Python team, are we allowed to mark this package stable?
Comment 4 Jesus Rivero (RETIRED) gentoo-dev 2008-10-04 14:02:44 UTC
Hello, 

   I have filed a stablereq on dev-python/pygments-0.10 and added it as a dep for this bug. 


Best regards, 
Comment 5 Tobias Heinlein (RETIRED) gentoo-dev 2008-10-04 15:37:49 UTC
Thanks!

amd64 stable
Comment 6 Brent Baude (RETIRED) gentoo-dev 2008-10-04 16:20:06 UTC
Created attachment 167180 [details]
ppc and ppc64 test failures
Comment 7 Brent Baude (RETIRED) gentoo-dev 2008-10-04 16:20:47 UTC
Anyone else seeing test failures like this?  Same for me on both ppc and ppc64
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2008-10-04 16:58:21 UTC
Created attachment 167191 [details]
mercurial-1.0.2.ebuild

Brent, it seems these are the failures from bug 231280 and introduced by 1.0.1-r3. Does it work with this ebuild?
Comment 9 Markus Meier gentoo-dev 2008-10-04 17:27:23 UTC
(In reply to comment #8)
> Created an attachment (id=167191) [edit]
> mercurial-1.0.2.ebuild
> 
> Brent, it seems these are the failures from bug 231280 and introduced by
> 1.0.1-r3. Does it work with this ebuild?

looks good on amd64/x86, no more test failures.
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2008-10-04 17:47:52 UTC
updated the ebuild then, I left the keywords (and lack thereof) intact.
Comment 11 Brent Baude (RETIRED) gentoo-dev 2008-10-04 18:22:37 UTC
ppc and ppc64 stable on -1.0.2 now.  all tests passed fine.
Comment 12 Ferris McCormick (RETIRED) gentoo-dev 2008-10-04 20:01:39 UTC
Sparc stable.  All tests fine, although one is skipped:

Skipped test-no-symlinks: system supports symbolic links

The comment is correct, so I suppose that this is expected.
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2008-10-05 10:45:55 UTC
alpha/ia64/x86 stable
Comment 14 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-10-09 21:48:45 UTC
time for GLSA decision. I'd go for a NO here since the impact is rather low IMHO.
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2008-10-09 22:23:24 UTC
NO, impact is limited to secret files in repository. Seriously, who puts them in a public repo anyway? :-)