Summary: | <dev-vcs/mercurial-4.9-r2: path-checking logic and write files outside a repository via symlink issue | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Lars Wendler (Polynomial-C) (RETIRED) <polynomial-c> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | cedk, maintainer-needed |
Priority: | Normal | Keywords: | PullRequest |
Version: | unspecified | Flags: | stable-bot:
sanity-check+
|
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.9_.282019-02-01.29 | ||
See Also: | https://github.com/gentoo/gentoo/pull/15048 | ||
Whiteboard: | B3 [noglsa cve] | ||
Package list: |
dev-vcs/mercurial-4.9-r2
dev-vcs/tortoisehg-4.9 amd64 x86
dev-python/zstandard-0.8.1
|
Runtime testing required: | --- |
Bug Depends on: | 664526 | ||
Bug Blocks: |
Description
Lars Wendler (Polynomial-C) (RETIRED)
2019-03-13 09:52:13 UTC
An automated check of this bug failed - repoman reported dependency errors (225 lines truncated):
> dependency.bad dev-vcs/tortoisehg/tortoisehg-4.9.ebuild: DEPEND: alpha(default/linux/alpha/17.0) ['dev-python/iniparse[python_targets_python2_7(-)?,-python_single_target_python2_7(-)]', 'dev-python/PyQt5[network,svg,python_targets_python2_7(-)?,-python_single_target_python2_7(-)]', '>=dev-python/qscintilla-python-2.9.4:=[qt5(+),python_targets_python2_7(-)?,-python_single_target_python2_7(-)]']
> dependency.bad dev-vcs/tortoisehg/tortoisehg-4.9.ebuild: RDEPEND: alpha(default/linux/alpha/17.0) ['dev-python/iniparse[python_targets_python2_7(-)?,-python_single_target_python2_7(-)]', 'dev-python/PyQt5[network,svg,python_targets_python2_7(-)?,-python_single_target_python2_7(-)]', '>=dev-python/qscintilla-python-2.9.4:=[qt5(+),python_targets_python2_7(-)?,-python_single_target_python2_7(-)]']
> dependency.bad dev-vcs/tortoisehg/tortoisehg-4.9.ebuild: DEPEND: alpha(default/linux/alpha/17.0) ['dev-python/iniparse[python_targets_python2_7(-)?,-python_single_target_python2_7(-)]', 'dev-python/PyQt5[network,svg,python_targets_python2_7(-)?,-python_single_target_python2_7(-)]', '>=dev-python/qscintilla-python-2.9.4:=[qt5(+),python_targets_python2_7(-)?,-python_single_target_python2_7(-)]']
An automated check of this bug failed - repoman reported dependency errors (215 lines truncated):
> dependency.bad dev-vcs/tortoisehg/tortoisehg-4.9.ebuild: DEPEND: alpha(default/linux/alpha/17.0) ['dev-python/PyQt5[network,svg,python_targets_python2_7(-)?,-python_single_target_python2_7(-)]', '>=dev-python/qscintilla-python-2.9.4:=[qt5(+),python_targets_python2_7(-)?,-python_single_target_python2_7(-)]']
> dependency.bad dev-vcs/tortoisehg/tortoisehg-4.9.ebuild: RDEPEND: alpha(default/linux/alpha/17.0) ['dev-python/PyQt5[network,svg,python_targets_python2_7(-)?,-python_single_target_python2_7(-)]', '>=dev-python/qscintilla-python-2.9.4:=[qt5(+),python_targets_python2_7(-)?,-python_single_target_python2_7(-)]']
> dependency.bad dev-vcs/tortoisehg/tortoisehg-4.9.ebuild: DEPEND: alpha(default/linux/alpha/17.0) ['dev-python/PyQt5[network,svg,python_targets_python2_7(-)?,-python_single_target_python2_7(-)]', '>=dev-python/qscintilla-python-2.9.4:=[qt5(+),python_targets_python2_7(-)?,-python_single_target_python2_7(-)]']
iniparse can be removed: it's only needed for tortoisehg and already stable on amd64+x86. amd64 stable arm stable Looking good on ppc. # cat mercurial-680206.report USE tests started on Mo 18. Mär 23:49:49 CET 2019 FEATURES=' test' USE='' succeeded for =dev-vcs/mercurial-4.9 FEATURES=' test' USE='' succeeded for =dev-python/zstandard-0.8.1 revdep tests started on Mo 18. Mär 23:54:26 CET 2019 FEATURES=' test' USE='mercurial' succeeded for app-portage/layman FEATURES=' test' USE='' succeeded for dev-vcs/hg-git FEATURES=' test' USE='' succeeded for dev-vcs/mercurial x86 cannot stabilize, required package doesn't build, bug 680912. sparc stable alpha stable hppa stable ppc64 stable Looking good on ppc. (This time with proper rdeps.) # cat mercurial-680206.report USE tests started on Mo 18. Mär 23:49:49 CET 2019 FEATURES=' test' USE='' succeeded for =dev-vcs/mercurial-4.9 FEATURES=' test' USE='' succeeded for =dev-python/zstandard-0.8.1 revdep tests started on Mo 18. Mär 23:54:26 CET 2019 FEATURES=' test' USE='mercurial' succeeded for app-portage/layman FEATURES=' test' USE='' succeeded for dev-vcs/hg-git FEATURES=' test' USE='' succeeded for dev-vcs/mercurial USE tests started on So 14. Apr 20:58:33 CEST 2019 FEATURES=' test' USE='' succeeded for =dev-vcs/mercurial-4.9-r1 FEATURES=' test' USE='' succeeded for =dev-python/zstandard-0.8.1 revdep tests started on So 14. Apr 21:01:58 CEST 2019 FEATURES=' test' USE='mercurial' succeeded for app-portage/layman FEATURES=' test' USE='' succeeded for dev-vcs/hg-git FEATURES=' test' USE='' succeeded for dev-vcs/mercurial revdep tests started on So 14. Apr 21:13:19 CEST 2019 FEATURES=' test' USE='mercurial' succeeded for app-portage/layman FEATURES=' test' USE='' succeeded for dev-vcs/hg-git FEATURES=' test' USE='' succeeded for dev-vcs/mercurial ppc stable ia64 stable @x86 ping x86 stable. Maintainer(s), please cleanup. Security, please vote. Maintainer(s), please drop the vulnerable version(s). The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e54e97355ff86e0dcbbd36b8f0f64bac2094a61a commit e54e97355ff86e0dcbbd36b8f0f64bac2094a61a Author: Sam James (sam_c) <sam@cmpct.info> AuthorDate: 2020-03-22 00:32:38 +0000 Commit: Cédric Krier <cedk@gentoo.org> CommitDate: 2020-03-22 10:13:46 +0000 dev-vcs/mercurial: Security cleanup Bug: https://bugs.gentoo.org/680206 Closes: https://github.com/gentoo/gentoo/pull/15048 Signed-off-by: Sam James (sam_c) <sam@cmpct.info> Signed-off-by: Cédric Krier <cedk@gentoo.org> dev-vcs/mercurial/Manifest | 1 - dev-vcs/mercurial/mercurial-4.6.2.ebuild | 137 ------------------------------- 2 files changed, 138 deletions(-) GLSA Vote: No Repository is clean, all done! CVE-2019-3902 (https://nvd.nist.gov/vuln/detail/CVE-2019-3902): A flaw was found in Mercurial before 4.9. It was possible to use symlinks and subrepositories to defeat Mercurial's path-checking logic and write files outside a repository. |