Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 951738 (CVE-2025-2361)

Summary: <dev-vcs/mercurial-6.9.4: XSS in hgweb
Product: Gentoo Security Reporter: Christopher Fore <csfore>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: ajak, cedk
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://lists.mercurial-scm.org/pipermail/mercurial-packaging/2025-March/000754.html
Whiteboard: B4 [stable]
Package list:
Runtime testing required: ---
Bug Depends on: 951910    
Bug Blocks:    

Description Christopher Fore 2025-03-22 00:03:19 UTC 
A vulnerability was found in Mercurial SCM 4.5.3/71.19.145.211. It has been declared as problematic. This vulnerability affects unknown code of the component Web Interface. The manipulation of the argument cmd leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.



The above is fixed in 6.9.4.
Comment 1 Larry the Git Cow gentoo-dev 2025-03-23 12:43:50 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ae69a17af7032045bbde5039f732a6cdc480e569

commit ae69a17af7032045bbde5039f732a6cdc480e569
Author:     Cédric Krier <cedk@gentoo.org>
AuthorDate: 2025-03-23 12:43:10 +0000
Commit:     Cédric Krier <cedk@gentoo.org>
CommitDate: 2025-03-23 12:43:46 +0000

    dev-vcs/mercurial: add 6.9.4, drop 6.9.1
    
    Bug: https://bugs.gentoo.org/951738
    Signed-off-by: Cédric Krier <cedk@gentoo.org>

 dev-vcs/mercurial/Manifest                                           | 2 +-
 dev-vcs/mercurial/{mercurial-6.9.1.ebuild => mercurial-6.9.4.ebuild} | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
Comment 2 Cédric Krier gentoo-dev 2025-03-23 12:47:05 UTC 
The patch is https://foss.heptapod.net/mercurial/mercurial-devel/-/commit/a5c72ed2929341d97b11968211c880854803f003

As it is quite large especially for the tests part. I think it will be simpler to quickly stabilize the version 6.9.4.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2025-03-26 04:46:16 UTC 
Please stabilize when ready!