Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 636704 (CVE-2017-17458) - <dev-vcs/mercurial-4.5.2: arbitrary command execution in mercurial repo with a git submodule
Summary: <dev-vcs/mercurial-4.5.2: arbitrary command execution in mercurial repo with ...
Alias: CVE-2017-17458
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B4 [noglsa cve]
: 640560 (view as bug list)
Depends on:
Reported: 2017-11-06 16:38 UTC by Agostino Sarubbo
Modified: 2018-04-22 21:35 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: No
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-11-06 16:38:39 UTC
From ${URL} :

A vulnerability in Mercurial's handling of subrepositories was reported on the Mercurial Project's *public* bug tracker.

The vulnerability results in arbitrary code execution during `hg clone` or `hg pull` + `hg update` if a well-crafted repository is cloned or 
pulled from. The vulnerability is known to occur with Git subrepositories. But it can also possibly occur with other subrepository types. The 
vulnerability likely impacts Mercurial versions released for the past several years.

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-12-10 16:51:46 UTC
*** Bug 640560 has been marked as a duplicate of this bug. ***
Comment 2 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-03-25 18:22:58 UTC
Mitigation is to disable sub-repos and only clone trusted repos which would be considered hardening.  Mercurial has made this a default option accordingly for their users and the fix is present in 4.5.2 (older versions not checked). Thus, the bug has been downgraded to B4.

GLSA Vote: No

@hppa, please stabilize.
Comment 3 Matt Turner gentoo-dev 2018-04-22 21:06:17 UTC
hppa stable
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-04-22 21:35:57 UTC
Cleanup will be in bug 649872