Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 649872 (CVE-2018-1000132) - <dev-vcs/mercurial-4.5.2: HTTP server permissions bypass
Summary: <dev-vcs/mercurial-4.5.2: HTTP server permissions bypass
Status: RESOLVED FIXED
Alias: CVE-2018-1000132
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://www.mercurial-scm.org/wiki/Wh...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-03-07 20:10 UTC by Lars Wendler (Polynomial-C) (RETIRED)
Modified: 2018-05-14 22:42 UTC (History)
1 user (show)

See Also:
Package list:
=dev-vcs/mercurial-4.5.2
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2018-03-07 20:10:25 UTC
Quote from release notes:

All versions of Mercurial prior to 4.5.2 have vulnerabilities in the HTTP server that allow permissions bypass to:

    Perform writes on repositories that should be read-only
    Perform reads on repositories that shouldn't allow read access 

The nature of the vulnerabilities is:

    Wire protocol commands that didn't explicitly declare their permissions had no permissions checking done. The web.{allow-pull, allow-push, deny_read, etc} config options governing access control were never consulted when running these commands. This allowed permissions bypass for impacted commands.

    The batch wire protocol command did not list its permission requirements nor did it enforce permissions on individual sub-commands. 

The implication of these vulnerabilities is that no permissions checking was performed on commands and this could lead to accessing data that web.* config options were supposed to prevent access to or modifying data (via wire protocol commands that can mutate data) without authorization. A Mercurial HTTP server in its default configuration is supposed to be read-only. However, a well-crafted batch command could invoke commands that perform writes.
Comment 1 Mart Raudsepp gentoo-dev 2018-03-08 11:53:14 UTC
arm64 has no stable keywords on this package, so no idea why we were CCed. unCCing.
Comment 2 Sergei Trofimovich (RETIRED) gentoo-dev 2018-03-09 22:48:22 UTC
ia64 stable
Comment 3 Sergei Trofimovich (RETIRED) gentoo-dev 2018-03-10 12:54:45 UTC
commit bb4eabfa3e51cee83f091cdcf8773a6d361c2be8
Author: Rolf Eike Beer <eike@sf-mail.de>
Date:   Thu Mar 8 18:32:34 2018 +0100

    dev-vcs/mercurial: stable 4.5.2 for sparc, bug #649872
Comment 4 Agostino Sarubbo gentoo-dev 2018-03-10 18:25:32 UTC
amd64 stable
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2018-03-11 15:08:53 UTC
x86 stable, ignored test failures, see https://bugs.gentoo.org/608720#c5
Comment 6 Matt Turner gentoo-dev 2018-03-12 13:42:42 UTC
ppc/ppc64 stable

Really unhappy about awful test suite. Takes hours and then fails.
Comment 7 Markus Meier gentoo-dev 2018-03-15 20:14:51 UTC
arm stable
Comment 8 Matt Turner gentoo-dev 2018-03-17 15:55:06 UTC
alpha stable
Comment 9 Matt Turner gentoo-dev 2018-04-22 21:06:28 UTC
hppa stable
Comment 10 Aaron Bauman (RETIRED) gentoo-dev 2018-04-22 21:36:33 UTC
GLSA Vote: No

@maintainer, please clean vulnerable