Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 680206 - <dev-vcs/mercurial-4.9-r2: path-checking logic and write files outside a repository via symlink issue
Summary: <dev-vcs/mercurial-4.9-r2: path-checking logic and write files outside a repo...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.mercurial-scm.org/wiki/Wh...
Whiteboard: B3 [noglsa cve]
Keywords: PullRequest
Depends on: 664526
Blocks:
  Show dependency tree
 
Reported: 2019-03-13 09:52 UTC by Lars Wendler (Polynomial-C) (RETIRED)
Modified: 2020-04-17 01:14 UTC (History)
2 users (show)

See Also:
Package list:
dev-vcs/mercurial-4.9-r2 dev-vcs/tortoisehg-4.9 amd64 x86 dev-python/zstandard-0.8.1
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2019-03-13 09:52:13 UTC 
From their ChangeLog (see URL):


1.1. security

It was possible to use symlinks and subrepositories to defeat Mercurial's path-checking logic and write files outside a repository. This has been fixed. Users on older versions can either disable subrepositories with [subrepos] allowed=false in their configuration or by ensuring any cloned repositories don't contain malicious symlinks. 


@ppc: You need to keyword dev-python/zstandard in order to get mercurial stable.
Comment 1 Stabilization helper bot gentoo-dev 2019-03-13 10:02:38 UTC 
An automated check of this bug failed - repoman reported dependency errors (225 lines truncated): 

> dependency.bad dev-vcs/tortoisehg/tortoisehg-4.9.ebuild: DEPEND: alpha(default/linux/alpha/17.0) ['dev-python/iniparse[python_targets_python2_7(-)?,-python_single_target_python2_7(-)]', 'dev-python/PyQt5[network,svg,python_targets_python2_7(-)?,-python_single_target_python2_7(-)]', '>=dev-python/qscintilla-python-2.9.4:=[qt5(+),python_targets_python2_7(-)?,-python_single_target_python2_7(-)]']
> dependency.bad dev-vcs/tortoisehg/tortoisehg-4.9.ebuild: RDEPEND: alpha(default/linux/alpha/17.0) ['dev-python/iniparse[python_targets_python2_7(-)?,-python_single_target_python2_7(-)]', 'dev-python/PyQt5[network,svg,python_targets_python2_7(-)?,-python_single_target_python2_7(-)]', '>=dev-python/qscintilla-python-2.9.4:=[qt5(+),python_targets_python2_7(-)?,-python_single_target_python2_7(-)]']
> dependency.bad dev-vcs/tortoisehg/tortoisehg-4.9.ebuild: DEPEND: alpha(default/linux/alpha/17.0) ['dev-python/iniparse[python_targets_python2_7(-)?,-python_single_target_python2_7(-)]', 'dev-python/PyQt5[network,svg,python_targets_python2_7(-)?,-python_single_target_python2_7(-)]', '>=dev-python/qscintilla-python-2.9.4:=[qt5(+),python_targets_python2_7(-)?,-python_single_target_python2_7(-)]']
Comment 2 Stabilization helper bot gentoo-dev 2019-03-13 11:03:12 UTC 
An automated check of this bug failed - repoman reported dependency errors (215 lines truncated): 

> dependency.bad dev-vcs/tortoisehg/tortoisehg-4.9.ebuild: DEPEND: alpha(default/linux/alpha/17.0) ['dev-python/PyQt5[network,svg,python_targets_python2_7(-)?,-python_single_target_python2_7(-)]', '>=dev-python/qscintilla-python-2.9.4:=[qt5(+),python_targets_python2_7(-)?,-python_single_target_python2_7(-)]']
> dependency.bad dev-vcs/tortoisehg/tortoisehg-4.9.ebuild: RDEPEND: alpha(default/linux/alpha/17.0) ['dev-python/PyQt5[network,svg,python_targets_python2_7(-)?,-python_single_target_python2_7(-)]', '>=dev-python/qscintilla-python-2.9.4:=[qt5(+),python_targets_python2_7(-)?,-python_single_target_python2_7(-)]']
> dependency.bad dev-vcs/tortoisehg/tortoisehg-4.9.ebuild: DEPEND: alpha(default/linux/alpha/17.0) ['dev-python/PyQt5[network,svg,python_targets_python2_7(-)?,-python_single_target_python2_7(-)]', '>=dev-python/qscintilla-python-2.9.4:=[qt5(+),python_targets_python2_7(-)?,-python_single_target_python2_7(-)]']
Comment 3 Rolf Eike Beer archtester 2019-03-14 20:34:16 UTC 
iniparse can be removed: it's only needed for tortoisehg and already stable on amd64+x86.
Comment 4 Agostino Sarubbo gentoo-dev 2019-03-16 12:48:28 UTC 
amd64 stable
Comment 5 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-03-16 13:57:39 UTC 
arm stable
Comment 6 ernsteiswuerfel archtester 2019-03-18 23:02:18 UTC 
Looking good on ppc.

# cat mercurial-680206.report 
USE tests started on Mo 18. Mär 23:49:49 CET 2019

FEATURES=' test' USE='' succeeded for =dev-vcs/mercurial-4.9

FEATURES=' test' USE='' succeeded for =dev-python/zstandard-0.8.1

revdep tests started on Mo 18. Mär 23:54:26 CET 2019

FEATURES=' test' USE='mercurial' succeeded for app-portage/layman
FEATURES=' test' USE='' succeeded for dev-vcs/hg-git
FEATURES=' test' USE='' succeeded for dev-vcs/mercurial
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2019-03-27 11:27:00 UTC 
x86 cannot stabilize, required package doesn't build, bug 680912.
Comment 8 Rolf Eike Beer archtester 2019-03-27 19:26:12 UTC 
sparc stable
Comment 9 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-04-02 12:25:18 UTC 
alpha stable
Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev 2019-04-07 21:38:26 UTC 
hppa stable
Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev 2019-04-07 21:50:13 UTC 
ppc64 stable
Comment 12 ernsteiswuerfel archtester 2019-04-14 19:19:05 UTC 
Looking good on ppc.
(This time with proper rdeps.)

# cat mercurial-680206.report 
USE tests started on Mo 18. Mär 23:49:49 CET 2019

FEATURES=' test' USE='' succeeded for =dev-vcs/mercurial-4.9

FEATURES=' test' USE='' succeeded for =dev-python/zstandard-0.8.1

revdep tests started on Mo 18. Mär 23:54:26 CET 2019

FEATURES=' test' USE='mercurial' succeeded for app-portage/layman
FEATURES=' test' USE='' succeeded for dev-vcs/hg-git
FEATURES=' test' USE='' succeeded for dev-vcs/mercurial
USE tests started on So 14. Apr 20:58:33 CEST 2019

FEATURES=' test' USE='' succeeded for =dev-vcs/mercurial-4.9-r1

FEATURES=' test' USE='' succeeded for =dev-python/zstandard-0.8.1

revdep tests started on So 14. Apr 21:01:58 CEST 2019

FEATURES=' test' USE='mercurial' succeeded for app-portage/layman
FEATURES=' test' USE='' succeeded for dev-vcs/hg-git
FEATURES=' test' USE='' succeeded for dev-vcs/mercurial
revdep tests started on So 14. Apr 21:13:19 CEST 2019

FEATURES=' test' USE='mercurial' succeeded for app-portage/layman
FEATURES=' test' USE='' succeeded for dev-vcs/hg-git
FEATURES=' test' USE='' succeeded for dev-vcs/mercurial
Comment 13 Sergei Trofimovich (RETIRED) gentoo-dev 2019-04-28 07:45:42 UTC 
ppc stable
Comment 14 Sergei Trofimovich (RETIRED) gentoo-dev 2019-05-12 22:07:35 UTC 
ia64 stable
Comment 15 Aaron Bauman (RETIRED) gentoo-dev 2019-08-12 23:45:15 UTC 
@x86 ping
Comment 16 Agostino Sarubbo gentoo-dev 2019-11-23 12:43:48 UTC 
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 17 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-15 17:14:56 UTC 
Maintainer(s), please drop the vulnerable version(s).
Comment 18 Larry the Git Cow gentoo-dev 2020-03-22 10:14:21 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e54e97355ff86e0dcbbd36b8f0f64bac2094a61a

commit e54e97355ff86e0dcbbd36b8f0f64bac2094a61a
Author:     Sam James (sam_c) <sam@cmpct.info>
AuthorDate: 2020-03-22 00:32:38 +0000
Commit:     Cédric Krier <cedk@gentoo.org>
CommitDate: 2020-03-22 10:13:46 +0000

    dev-vcs/mercurial: Security cleanup
    
    Bug: https://bugs.gentoo.org/680206
    Closes: https://github.com/gentoo/gentoo/pull/15048
    Signed-off-by: Sam James (sam_c) <sam@cmpct.info>
    Signed-off-by: Cédric Krier <cedk@gentoo.org>

 dev-vcs/mercurial/Manifest               |   1 -
 dev-vcs/mercurial/mercurial-4.6.2.ebuild | 137 -------------------------------
 2 files changed, 138 deletions(-)
Comment 19 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-25 20:51:30 UTC 
GLSA Vote: No

Repository is clean, all done!
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2020-04-17 01:14:07 UTC 
CVE-2019-3902 (https://nvd.nist.gov/vuln/detail/CVE-2019-3902):
  A flaw was found in Mercurial before 4.9. It was possible to use symlinks
  and subrepositories to defeat Mercurial's path-checking logic and write
  files outside a repository.