Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 627484 (CVE-2017-1000115, CVE-2017-1000116) - <dev-vcs/mercurial-4.3: Multiple vulnerabilities
Summary: <dev-vcs/mercurial-4.3: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-1000115, CVE-2017-1000116
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.mercurial-scm.org/piperma...
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-08-10 19:56 UTC by Dirkjan Ochtman
Modified: 2018-01-25 02:32 UTC (History)
1 user (show)

See Also:
Package list:
=dev-vcs/mercurial-4.3
Runtime testing required: Yes
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Dirkjan Ochtman gentoo-dev 2017-08-10 19:56:59 UTC
CVE-2017-1000115:

Mercurial's symlink auditing was incomplete prior to 4.3, and could be abused to write to files outside the repository.

CVE-2017-1000116:

Mercurial was not sanitizing hostnames passed to ssh, allowing shell injection attacks by specifying a hostname starting with -oProxyCommand. This is also present in Git (CVE-2017-1000117) and Subversion (CVE-2017-9800), so please patch those tools as well if you have them installed. All three tools are doing their security release today.

Lars, since I was available and am an ex-Mercurial maintainer, I figured I could bump this for you real quick -- hope you don't mind.
Comment 1 Dirkjan Ochtman gentoo-dev 2017-08-10 19:58:46 UTC
Version bump to 4.3 pushed.

commit 0a16ae3418799bb39ce9cc3f5bee848803e3e06a (HEAD -> master, origin/master, origin/HEAD)
Author: Dirkjan Ochtman <djc@gentoo.org>
Date:   Thu Aug 10 21:57:21 2017 +0200

    dev-vcs/mercurial: version bump 4.3 with security issues (bug 627484)
    
    Package-Manager: Portage-2.3.6, Repoman-2.3.1
Comment 2 Sergei Trofimovich gentoo-dev 2017-08-28 08:25:07 UTC
ia64 stable
Comment 3 Matt Turner gentoo-dev 2017-08-31 15:22:08 UTC
alpha stable
Comment 4 Matt Turner gentoo-dev 2017-09-01 18:45:23 UTC
ppc/ppc64 stable
Comment 5 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-09-04 21:36:32 UTC
amd64/x86 stable
Comment 6 Markus Meier gentoo-dev 2017-09-07 19:39:33 UTC
arm stable
Comment 7 Sergei Trofimovich gentoo-dev 2017-09-10 20:33:52 UTC
stable for hppa (thanks to Dakon)
Comment 9 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-17 20:05:43 UTC
New GLSA request filed.

@Maintainer please proceed to clean the tree, it is your call to decide if sparc is dropped when removing affected versions. 

Gentoo Security Padawan
ChrisADR
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2017-09-24 15:48:29 UTC
This issue was resolved and addressed in
 GLSA 201709-18 at https://security.gentoo.org/glsa/201709-18
by GLSA coordinator Aaron Bauman (b-man).
Comment 11 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-09-24 15:49:01 UTC
re-opened for cleanup
Comment 12 Sergei Trofimovich gentoo-dev 2017-10-08 19:22:49 UTC
sparc stable (thanks to Rolf Eike Beer)
Comment 13 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-08 21:12:46 UTC
Thank you all.

@Maintainer please clean up the tree.

Gentoo Security Padawan
ChrisADR