Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 621068 (CVE-2017-9462)

Summary: <dev-vcs/mercurial-4.1.3: arbitrary code excecution through python debbuger
Product: Gentoo Security Reporter: Kristian Fiskerstrand (RETIRED) <k_f>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: critical CC: chrisadr, djc, polynomial-c
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.mercurial-scm.org/repo/hg/rev/77eaf9539499
See Also: https://bugs.debian.org/861243
Whiteboard: C0 [glsa cve]
Package list:
dev-vcs/mercurial-4.2
 Runtime testing required: ---
Bug Depends on: 621280    
Bug Blocks:    

Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-06-06 19:07:58 UTC 
This is somewhat of a specific attack vector, and I'm not sure to what extent it is wildly deployed, but we likely want to stabilize >=4.1.3. Anyways useful for tracking purposes:

From debian bug:
Dear Maintainer,

All versions of Mercurial prior to 4.1.3 have a bug in
'hg serve --stdio' which can allow remote users access to the Python
debugger, from where they have nearly complete access to the local
system.  For systems serving Mercurial repositories via ssh, this
could allow unauthorized access to the serving account.

Some details in commit in $URL
Comment 1 Dirkjan Ochtman (RETIRED) gentoo-dev 2017-06-09 11:28:11 UTC 
Filed bug 621280 earlier, let's use that?
Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-06-09 12:13:46 UTC 
(In reply to Dirkjan Ochtman from comment #1)
> Filed bug 621280 earlier, let's use that?

No problem using that for stabilization; updated this bug to reflect it
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-09 12:21:06 UTC 
(In reply to Dirkjan Ochtman from comment #1)
> Filed bug 621280 earlier, let's use that?

In general this isn't a problem. But sometimes overloaded arch teams will ignore non-security stabilization requests. I assigned the bug to security@, let's see if this will work.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2017-07-21 13:39:54 UTC 
*** Bug 624726 has been marked as a duplicate of this bug. ***
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2017-07-21 13:42:22 UTC 
@ Arches,

please continue stabilization of =dev-vcs/mercurial-4.2!
Comment 6 Markus Meier gentoo-dev 2017-07-25 18:50:37 UTC 
arm stable
Comment 7 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-19 02:14:33 UTC 
GLSA Request filed.

Cleanup from versions prior to 4.3 will occur in bug 627484.

Gentoo Security Padawan
ChrisADR
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2017-09-24 15:48:21 UTC 
This issue was resolved and addressed in
 GLSA 201709-18 at https://security.gentoo.org/glsa/201709-18
by GLSA coordinator Aaron Bauman (b-man).