| Summary: | <dev-vcs/mercurial-4.5.2: HTTP server permissions bypass | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Lars Wendler (Polynomial-C) (RETIRED) <polynomial-c> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | polynomial-c |
| Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.5.1_.2F_4.5.2_.282018-03-06.29 | ||
| Whiteboard: | B3 [noglsa cve] | ||
| Package list: |
=dev-vcs/mercurial-4.5.2
|
Runtime testing required: | --- |
arm64 has no stable keywords on this package, so no idea why we were CCed. unCCing. ia64 stable commit bb4eabfa3e51cee83f091cdcf8773a6d361c2be8 Author: Rolf Eike Beer <eike@sf-mail.de> Date: Thu Mar 8 18:32:34 2018 +0100 dev-vcs/mercurial: stable 4.5.2 for sparc, bug #649872 amd64 stable x86 stable, ignored test failures, see https://bugs.gentoo.org/608720#c5 ppc/ppc64 stable Really unhappy about awful test suite. Takes hours and then fails. arm stable alpha stable hppa stable GLSA Vote: No @maintainer, please clean vulnerable |
Quote from release notes: All versions of Mercurial prior to 4.5.2 have vulnerabilities in the HTTP server that allow permissions bypass to: Perform writes on repositories that should be read-only Perform reads on repositories that shouldn't allow read access The nature of the vulnerabilities is: Wire protocol commands that didn't explicitly declare their permissions had no permissions checking done. The web.{allow-pull, allow-push, deny_read, etc} config options governing access control were never consulted when running these commands. This allowed permissions bypass for impacted commands. The batch wire protocol command did not list its permission requirements nor did it enforce permissions on individual sub-commands. The implication of these vulnerabilities is that no permissions checking was performed on commands and this could lead to accessing data that web.* config options were supposed to prevent access to or modifying data (via wire protocol commands that can mutate data) without authorization. A Mercurial HTTP server in its default configuration is supposed to be read-only. However, a well-crafted batch command could invoke commands that perform writes.