Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 544332 (CVE-2014-9462) - <dev-vcs/mercurial-3.3.2: command Injection via sshpeer._validaterepo() (CVE-2014-9462)
Summary: <dev-vcs/mercurial-3.3.2: command Injection via sshpeer._validaterepo() (CVE-...
Alias: CVE-2014-9462
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
Depends on:
Reported: 2015-03-24 13:24 UTC by Agostino Sarubbo
Modified: 2016-12-07 10:36 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-03-24 13:24:38 UTC
From ${URL} :

Following commit fixes code injection issue in Mercurial:

Detailed description of the attack vector is available here:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2015-03-24 17:32:08 UTC
+*mercurial-3.3.2 (24 Mar 2015)
+  24 Mar 2015; Lars Wendler <> -mercurial-3.2.4.ebuild,
+  -mercurial-3.3.ebuild, +mercurial-3.3.2.ebuild:
+  Security bump (bug #544332). Removed old.

The mentioned fix is already in mercurial-3.3.2
Comment 2 Tobias Heinlein (RETIRED) gentoo-dev 2015-03-28 20:33:19 UTC
(In reply to Lars Wendler (Polynomial-C) from comment #1)
> The mentioned fix is already in mercurial-3.3.2

Is this ready to go stable?

GLSA vote: NO.
Comment 3 Tobias Heinlein (RETIRED) gentoo-dev 2015-03-28 20:34:01 UTC
(In reply to Tobias Heinlein from comment #2)
> GLSA vote: NO.

Actually, no vote required here as it is B2.
Comment 4 Agostino Sarubbo gentoo-dev 2015-03-29 12:49:20 UTC
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 5 Agostino Sarubbo gentoo-dev 2015-03-30 09:59:45 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2015-03-30 09:59:59 UTC
x86 stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2015-03-30 15:45:54 UTC
Stable for HPPA.
Comment 8 Agostino Sarubbo gentoo-dev 2015-03-31 07:58:35 UTC
ppc64 stable
Comment 9 Markus Meier gentoo-dev 2015-04-09 20:50:14 UTC
arm stable
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2015-04-11 18:00:06 UTC
CVE-2014-9462 (
  The _validaterepo function in sshpeer in Mercurial before 3.2.4 allows
  remote attackers to execute arbitrary commands via a crafted repository name
  in a clone command.
Comment 11 Agostino Sarubbo gentoo-dev 2015-04-13 09:46:16 UTC
alpha stable
Comment 12 Agostino Sarubbo gentoo-dev 2015-04-14 12:33:23 UTC
ia64 stable
Comment 13 Pacho Ramos gentoo-dev 2015-04-21 18:44:47 UTC
ppc stable
Comment 14 Agostino Sarubbo gentoo-dev 2015-04-29 09:19:19 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2015-05-11 15:43:53 UTC
Arches, Thank you for your work.
Added to an existing GLSA Request.

Maintainer(s), please drop the vulnerable version(s).
Comment 16 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2015-05-12 19:07:12 UTC
+  12 May 2015; Lars Wendler <> -mercurial-3.2.3.ebuild:
+  Removed vulnerable version.
Comment 17 Yury German Gentoo Infrastructure gentoo-dev 2015-05-13 22:19:39 UTC
Maintainer(s), Thank you for you for cleanup.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2016-12-07 10:36:35 UTC
This issue was resolved and addressed in
 GLSA 201612-19 at
by GLSA coordinator Aaron Bauman (b-man).