Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 621068 (CVE-2017-9462) - <dev-vcs/mercurial-4.1.3: arbitrary code excecution through python debbuger
Summary: <dev-vcs/mercurial-4.1.3: arbitrary code excecution through python debbuger
Status: RESOLVED FIXED
Alias: CVE-2017-9462
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal critical (vote)
Assignee: Gentoo Security
URL: https://www.mercurial-scm.org/repo/hg...
Whiteboard: C0 [glsa cve]
Keywords:
: 624726 (view as bug list)
Depends on: 621280
Blocks:
  Show dependency tree
 
Reported: 2017-06-06 19:07 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2017-12-13 20:15 UTC (History)
3 users (show)

See Also:
Package list:
dev-vcs/mercurial-4.2
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-06-06 19:07:58 UTC
This is somewhat of a specific attack vector, and I'm not sure to what extent it is wildly deployed, but we likely want to stabilize >=4.1.3. Anyways useful for tracking purposes:

From debian bug:
Dear Maintainer,

All versions of Mercurial prior to 4.1.3 have a bug in
'hg serve --stdio' which can allow remote users access to the Python
debugger, from where they have nearly complete access to the local
system.  For systems serving Mercurial repositories via ssh, this
could allow unauthorized access to the serving account.

Some details in commit in $URL
Comment 1 Dirkjan Ochtman gentoo-dev 2017-06-09 11:28:11 UTC
Filed bug 621280 earlier, let's use that?
Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-06-09 12:13:46 UTC
(In reply to Dirkjan Ochtman from comment #1)
> Filed bug 621280 earlier, let's use that?

No problem using that for stabilization; updated this bug to reflect it
Comment 3 Thomas Deutschmann gentoo-dev Security 2017-06-09 12:21:06 UTC
(In reply to Dirkjan Ochtman from comment #1)
> Filed bug 621280 earlier, let's use that?

In general this isn't a problem. But sometimes overloaded arch teams will ignore non-security stabilization requests. I assigned the bug to security@, let's see if this will work.
Comment 4 Thomas Deutschmann gentoo-dev Security 2017-07-21 13:39:54 UTC
*** Bug 624726 has been marked as a duplicate of this bug. ***
Comment 5 Thomas Deutschmann gentoo-dev Security 2017-07-21 13:42:22 UTC
@ Arches,

please continue stabilization of =dev-vcs/mercurial-4.2!
Comment 6 Markus Meier gentoo-dev 2017-07-25 18:50:37 UTC
arm stable
Comment 7 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-19 02:14:33 UTC
GLSA Request filed.

Cleanup from versions prior to 4.3 will occur in bug 627484.

Gentoo Security Padawan
ChrisADR
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2017-09-24 15:48:21 UTC
This issue was resolved and addressed in
 GLSA 201709-18 at https://security.gentoo.org/glsa/201709-18
by GLSA coordinator Aaron Bauman (b-man).