Hi Javi, On Wed, May 27, 2015 at 12:16:38PM +0100, Javi Merino wrote: > [Dropping python-apps-team] > > Hi debian-lts, > > On Tue, May 12, 2015 at 10:15:38PM +0900, Javi Merino wrote: > > Hi Raphael, > > > > On Mon, May 11, 2015 at 08:42:23PM +0200, Raphael Hertzog wrote: > > > Hello dear maintainer(s), > > > > > > the Debian LTS team would like to fix the security issues which are > > > currently open in the Squeeze version of mercurial: > > > https://security-tracker.debian.org/tracker/CVE-2014-9462 > > > https://security-tracker.debian.org/tracker/CVE-2014-9390 (optional, is > > > tagged no-dsa) > > > > > > Would you like to take care of this yourself? We are still understaffed so > > > any help is always highly appreciated. > > > > If you are understaffed I'm happy to help preparing the update. I'll > > hopefully have time to do it tomorrow, I'll claim the DLA when I start > > working on it. > > I've prepared a package for squeeze lts that fixes CVE-2014-9462 and > CVE-2014-9390. Find attached the debdiff. > > I've run the testsuite in a squeeze chroot and it passes, but I'm not > entirely sure that a) I haven't broken anything and b) my backport of > the security fix is valid -- the code has changed a lot between > mercurial 1.6.4 and 3.2.3. I'd appreciate if somebody did some more > testing. The packages can be found in: > > https://people.debian.org/~vicho/mercurial_squeeze/ > > Please CC me on replies, I'm not subscribed to the list.
I've ported over more of upstream's _serverquote usage since we need to protect the remotecmd and path as well to not stay vulnerable. Furthermore I ported over the test for CVE-2014-9390 and to be sure the issue doesn't creep back in we're running it during the build. I think with these changes we're good to go. Are you handling the upload? Cheers -- Guido
diff --git a/debian/changelog b/debian/changelog
index 10f7480..af90400 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,6 @@
mercurial (1.6.4-1+deb6u1) squeeze-lts; urgency=medium
+ [Javi Merino]
* Fix "CVE-2014-9462" by adding patch
from_upstream__sshpeer_more_thorough_shell_quoting.patch
* Fix "CVE-2014-9390: Errors in handling case-sensitive directories
@@ -8,6 +9,12 @@ mercurial (1.6.4-1+deb6u1) squeeze-lts; urgency=medium
from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch,
and
from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch
+
+ [Guido Günther]
+ * Fix "CVE-2014-9462" by adding patch
+ from_upstream__sshpeer_even_more_thorough_shell_quoting.patch
+ * Run tests for CVE-2014-9390 by adding patch
+ from_upstream__test_CVE-2014-930.patch
-- Javi Merino <vi...@debian.org> Wed, 27 May 2015 11:49:05 +0100
diff --git a/debian/patches/from_upstream__sshpeer_even_more_thorough_shell_quoting.patch b/debian/patches/from_upstream__sshpeer_even_more_thorough_shell_quoting.patch
new file mode 100644
index 0000000..5f1d1a5
--- /dev/null
+++ b/debian/patches/from_upstream__sshpeer_even_more_thorough_shell_quoting.patch
@@ -0,0 +1,36 @@
+From: =?utf-8?q?Guido_G=C3=BCnther?= <a...@sigxcpu.org>
+Date: Fri, 29 May 2015 14:37:57 +0200
+Subject: from_upstream__sshpeer_even_more_thorough_shell_quoting
+
+---
+ mercurial/sshrepo.py | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/mercurial/sshrepo.py b/mercurial/sshrepo.py
+index f487498..dd02f96 100644
+--- a/mercurial/sshrepo.py
++++ b/mercurial/sshrepo.py
+@@ -51,8 +51,9 @@ class sshrepository(repo.repository):
+ _serverquote(self.port))
+
+ if create:
+- cmd = '%s %s "%s init %s"'
+- cmd = cmd % (sshcmd, args, remotecmd, self.path)
++ cmd = '%s %s %s' % (sshcmd, args,
++ util.shellquote("%s init %s" %
++ (_serverquote(remotecmd), _serverquote(self.path))))
+
+ ui.note(_('running %s\n') % cmd)
+ res = util.system(cmd)
+@@ -68,8 +69,9 @@ class sshrepository(repo.repository):
+ # cleanup up previous run
+ self.cleanup()
+
+- cmd = '%s %s "%s -R %s serve --stdio"'
+- cmd = cmd % (sshcmd, args, remotecmd, self.path)
++ cmd = '%s %s %s' % (sshcmd, args,
++ util.shellquote("%s -R %s serve --stdio" %
++ (_serverquote(remotecmd), _serverquote(self.path))))
+
+ cmd = util.quotecommand(cmd)
+ ui.note(_('running %s\n') % cmd)
diff --git a/debian/patches/from_upstream__test_CVE-2014-930.patch b/debian/patches/from_upstream__test_CVE-2014-930.patch
new file mode 100644
index 0000000..3dc74cf
--- /dev/null
+++ b/debian/patches/from_upstream__test_CVE-2014-930.patch
@@ -0,0 +1,89 @@
+From: =?utf-8?q?Guido_G=C3=BCnther?= <a...@sigxcpu.org>
+Date: Fri, 29 May 2015 15:14:15 +0200
+Subject: from_upstream__test_CVE-2014-930
+
+---
+
+diff --git a/tests/test-CVE-2014-9390 b/tests/test-CVE-2014-9390
+new file mode 100755
+index 0000000..b62dbb1
+--- /dev/null
++++ b/tests/test-CVE-2014-9390
+@@ -0,0 +1,65 @@
++#!/bin/sh
++#
++# Tests for CVE-2014-9390
++
++PYTHON=python
++
++# Windows short names
++echo % Tests for CVE-2014-9390
++hg init test
++cd test
++
++echo foo > foo
++hg add foo
++HGEDITOR=true hg commit -m "foo"
++
++hg rollback
++cat > evil-commit.py <<EOF
++from mercurial import ui, hg, context, node
++notrc = "HG~1/hgrc"
++u = ui.ui()
++r = hg.repository(u, '.')
++def filectxfn(repo, memctx, path):
++ return context.memfilectx(path, '[hooks]\nupdate = echo owned')
++c = context.memctx(r, [r['tip'].node(), node.nullid],
++ 'evil', [notrc], filectxfn, 0)
++r.commitctx(c)
++EOF
++$PYTHON evil-commit.py
++hg co --clean tip
++
++hg rollback
++cat > evil-commit.py <<EOF
++from mercurial import ui, hg, context, node
++notrc = "HG8B6C~2/hgrc"
++u = ui.ui()
++r = hg.repository(u, '.')
++def filectxfn(repo, memctx, path):
++ return context.memfilectx(path, '[hooks]\nupdate = echo owned')
++c = context.memctx(r, [r['tip'].node(), node.nullid],
++ 'evil', [notrc], filectxfn, 0)
++r.commitctx(c)
++EOF
++$PYTHON evil-commit.py
++hg co --clean tip
++
++# Check for codepoints ignored on OS X
++cat > evil-commit.py <<EOF
++from mercurial import ui, hg, context, node
++notrc = u".h\u200cg".encode('utf-8') + '/hgrc'
++u = ui.ui()
++r = hg.repository(u, '.')
++def filectxfn(repo, memctx, path):
++ return context.memfilectx(path, '[hooks]\nupdate = echo owned')
++c = context.memctx(r, [r['tip'].node(), node.nullid],
++ 'evil', [notrc], filectxfn, 0)
++r.commitctx(c)
++EOF
++$PYTHON evil-commit.py
++hg co --clean tip
++
++cd ..
++rm -rf test
++exit 0
++
++
+diff --git a/tests/test-CVE-2014-9390.out b/tests/test-CVE-2014-9390.out
+new file mode 100644
+index 0000000..3004062
+--- /dev/null
++++ b/tests/test-CVE-2014-9390.out
+@@ -0,0 +1,6 @@
++% Tests for CVE-2014-9390
++rolling back to revision -1 (undo commit)
++abort: path contains illegal component: HG~1/hgrc
++rolling back to revision -1 (undo commit)
++abort: path contains illegal component: HG8B6C~2/hgrc
++abort: path contains illegal component: .hg/hgrc
diff --git a/debian/patches/series b/debian/patches/series
index 409ace8..14c5388 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -8,6 +8,8 @@ deb_specific__optional-dependencies
proposed_upstream__correct-zeroconf-doc
deb_specific__install-mo-fhs.patch
from_upstream__sshpeer_more_thorough_shell_quoting.patch
+from_upstream__sshpeer_even_more_thorough_shell_quoting.patch
from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch
from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch
from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch
+from_upstream__test_CVE-2014-930.patch
diff --git a/debian/rules b/debian/rules
index 1aed5db..52986ea 100755
--- a/debian/rules
+++ b/debian/rules
@@ -11,6 +11,8 @@ override_dh_auto_build: $(PYVERS:%=build-python%)
ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))
# Tests are not yet ready to be run in Debian build context
#$(MAKE) tests
+ chmod a+x tests/test-CVE-2014-9390
+ make test-CVE-2014-9390
endif
# Do not start a line with a word with a dot in a manpage
sed -i -e 's,^[.]\(hgignore\|hg/hgrc\),\\fP\1,' doc/hg.1
signature.asc
Description: Digital signature
