Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 636704 (CVE-2017-17458)

Summary: <dev-vcs/mercurial-4.5.2: arbitrary command execution in mercurial repo with a git submodule
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: glsamaker, polynomial-c
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1509868
Whiteboard: B4 [noglsa cve]
Package list:
dev-vcs/mercurial-4.5.2
Runtime testing required: No

Description Agostino Sarubbo gentoo-dev 2017-11-06 16:38:39 UTC
From ${URL} :

A vulnerability in Mercurial's handling of subrepositories was reported on the Mercurial Project's *public* bug tracker.

The vulnerability results in arbitrary code execution during `hg clone` or `hg pull` + `hg update` if a well-crafted repository is cloned or 
pulled from. The vulnerability is known to occur with Git subrepositories. But it can also possibly occur with other subrepository types. The 
vulnerability likely impacts Mercurial versions released for the past several years.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-12-10 16:51:46 UTC
*** Bug 640560 has been marked as a duplicate of this bug. ***
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2018-03-25 18:22:58 UTC
Mitigation is to disable sub-repos and only clone trusted repos which would be considered hardening.  Mercurial has made this a default option accordingly for their users and the fix is present in 4.5.2 (older versions not checked). Thus, the bug has been downgraded to B4.

GLSA Vote: No

@hppa, please stabilize.
Comment 3 Matt Turner gentoo-dev 2018-04-22 21:06:17 UTC
hppa stable
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2018-04-22 21:35:57 UTC
Cleanup will be in bug 649872