621068 – (CVE-2017-9462) <dev-vcs/mercurial-4.1.3: arbitrary code excecution through python debbuger

Bug 621068 (CVE-2017-9462) - <dev-vcs/mercurial-4.1.3: arbitrary code excecution through python debbuger

Summary: <dev-vcs/mercurial-4.1.3: arbitrary code excecution through python debbuger

Status:	RESOLVED FIXED

Alias:	CVE-2017-9462

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal critical (vote)
Assignee:	Gentoo Security

URL:	https://www.mercurial-scm.org/repo/hg...
Whiteboard:	C0 [glsa cve]
Keywords:

Duplicates (1):	624726 (view as bug list)
Depends on:	621280
Blocks:
	Show dependency tree

Reported:	2017-06-06 19:07 UTC by Kristian Fiskerstrand (RETIRED)
Modified:	2017-12-13 20:15 UTC (History)
CC List:	3 users (show)

See Also:	https://bugs.debian.org/861243
Package list:	dev-vcs/mercurial-4.2
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Kristian Fiskerstrand (RETIRED) gentoo-dev

2017-06-06 19:07:58 UTC

This is somewhat of a specific attack vector, and I'm not sure to what extent it is wildly deployed, but we likely want to stabilize >=4.1.3. Anyways useful for tracking purposes:

From debian bug:
Dear Maintainer,

All versions of Mercurial prior to 4.1.3 have a bug in
'hg serve --stdio' which can allow remote users access to the Python
debugger, from where they have nearly complete access to the local
system.  For systems serving Mercurial repositories via ssh, this
could allow unauthorized access to the serving account.

Some details in commit in $URL

Comment 1 Dirkjan Ochtman (RETIRED) gentoo-dev

2017-06-09 11:28:11 UTC

Filed bug 621280 earlier, let's use that?

Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev

2017-06-09 12:13:46 UTC

(In reply to Dirkjan Ochtman from comment #1)
> Filed bug 621280 earlier, let's use that?

No problem using that for stabilization; updated this bug to reflect it

Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev

2017-06-09 12:21:06 UTC

(In reply to Dirkjan Ochtman from comment #1)
> Filed bug 621280 earlier, let's use that?

In general this isn't a problem. But sometimes overloaded arch teams will ignore non-security stabilization requests. I assigned the bug to security@, let's see if this will work.

Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev

2017-07-21 13:39:54 UTC

*** Bug 624726 has been marked as a duplicate of this bug. ***

Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev

2017-07-21 13:42:22 UTC

@ Arches,

please continue stabilization of =dev-vcs/mercurial-4.2!

Comment 6 Markus Meier gentoo-dev

2017-07-25 18:50:37 UTC

arm stable

Comment 7 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-09-19 02:14:33 UTC

GLSA Request filed.

Cleanup from versions prior to 4.3 will occur in bug 627484.

Gentoo Security Padawan
ChrisADR

Comment 8 GLSAMaker/CVETool Bot gentoo-dev

2017-09-24 15:48:21 UTC

This issue was resolved and addressed in
 GLSA 201709-18 at https://security.gentoo.org/glsa/201709-18
by GLSA coordinator Aaron Bauman (b-man).