Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 627484 (CVE-2017-1000115, CVE-2017-1000116)

Summary: <dev-vcs/mercurial-4.3: Multiple vulnerabilities
Product: Gentoo Security Reporter: Dirkjan Ochtman (RETIRED) <djc>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: polynomial-c
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa cve]
Package list:
Runtime testing required: Yes

Description Dirkjan Ochtman (RETIRED) gentoo-dev 2017-08-10 19:56:59 UTC

Mercurial's symlink auditing was incomplete prior to 4.3, and could be abused to write to files outside the repository.


Mercurial was not sanitizing hostnames passed to ssh, allowing shell injection attacks by specifying a hostname starting with -oProxyCommand. This is also present in Git (CVE-2017-1000117) and Subversion (CVE-2017-9800), so please patch those tools as well if you have them installed. All three tools are doing their security release today.

Lars, since I was available and am an ex-Mercurial maintainer, I figured I could bump this for you real quick -- hope you don't mind.
Comment 1 Dirkjan Ochtman (RETIRED) gentoo-dev 2017-08-10 19:58:46 UTC
Version bump to 4.3 pushed.

commit 0a16ae3418799bb39ce9cc3f5bee848803e3e06a (HEAD -> master, origin/master, origin/HEAD)
Author: Dirkjan Ochtman <>
Date:   Thu Aug 10 21:57:21 2017 +0200

    dev-vcs/mercurial: version bump 4.3 with security issues (bug 627484)
    Package-Manager: Portage-2.3.6, Repoman-2.3.1
Comment 2 Sergei Trofimovich (RETIRED) gentoo-dev 2017-08-28 08:25:07 UTC
ia64 stable
Comment 3 Matt Turner gentoo-dev 2017-08-31 15:22:08 UTC
alpha stable
Comment 4 Matt Turner gentoo-dev 2017-09-01 18:45:23 UTC
ppc/ppc64 stable
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2017-09-04 21:36:32 UTC
amd64/x86 stable
Comment 6 Markus Meier gentoo-dev 2017-09-07 19:39:33 UTC
arm stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-10 20:33:52 UTC
stable for hppa (thanks to Dakon)
Comment 8 Aaron Bauman (RETIRED) gentoo-dev 2017-09-10 22:25:09 UTC
sparc was dropped to exp.
Comment 9 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-17 20:05:43 UTC
New GLSA request filed.

@Maintainer please proceed to clean the tree, it is your call to decide if sparc is dropped when removing affected versions. 

Gentoo Security Padawan
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2017-09-24 15:48:29 UTC
This issue was resolved and addressed in
 GLSA 201709-18 at
by GLSA coordinator Aaron Bauman (b-man).
Comment 11 Aaron Bauman (RETIRED) gentoo-dev 2017-09-24 15:49:01 UTC
re-opened for cleanup
Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-08 19:22:49 UTC
sparc stable (thanks to Rolf Eike Beer)
Comment 13 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-08 21:12:46 UTC
Thank you all.

@Maintainer please clean up the tree.

Gentoo Security Padawan