Hi Alessandro, On Sat, May 02, 2015 at 09:04:42AM +0100, Javi Merino wrote: > On Fri, May 01, 2015 at 08:53:28PM +0200, Alessandro Ghedini wrote: > > On Fri, May 01, 2015 at 07:16:07PM +0100, Javi Merino wrote: > > > On Fri, Apr 24, 2015 at 01:21:56PM +0200, Moritz Muehlenhoff wrote: > > > > Package: mercurial > > > > Severity: important > > > > Tags: security > > > > > > > > Please see > > > > http://chargen.matasano.com/chargen/2015/3/17/this-new-vulnerability-mercurial-command-injection-cve-2014-9462.html > > > > > > > > Fix: > > > > http://selenic.com/hg/rev/e3f30068d2eb
[...] > > Also, the vulnerability seems to affect the wheezy version as well, could > > you > > please prepare an upload targeting wheezy-security as well? I've prepared an upload for wheezy-security, find the diff below. Can I upload it to security-master? Index: debian/changelog =================================================================== --- debian/changelog (revisión: 11643) +++ debian/changelog (copia de trabajo) @@ -1,3 +1,11 @@ +mercurial (2.2.2-4+deb7u1) wheezy-security; urgency=high + + * Fix "CVE-2014-9462" by adding patch + from_upstream__sshpeer_more_thorough_shell_quoting.patch (Closes: + #783237) + + -- Javi Merino <vi...@debian.org> Wed, 06 May 2015 08:09:26 +0100 + mercurial (2.2.2-4) stable; urgency=high * Security update for CVE-2014-9390: errors in handling case-sensitive Index: debian/patches/series =================================================================== --- debian/patches/series (revisión: 11643) +++ debian/patches/series (copia de trabajo) @@ -14,3 +14,4 @@ from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch +from_upstream__sshpeer_more_thorough_shell_quoting.patch Index: debian/patches/from_upstream__sshpeer_more_thorough_shell_quoting.patch =================================================================== --- debian/patches/from_upstream__sshpeer_more_thorough_shell_quoting.patch (revisión: 0) +++ debian/patches/from_upstream__sshpeer_more_thorough_shell_quoting.patch (revisión: 11901) @@ -0,0 +1,29 @@ +Origin: http://selenic.com/hg/rev/e3f30068d2eb +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783237 +Description: sshpeer: more thorough shell quoting + This fixes CVE-2014-9462 +Applied-Upstream: 3.2.4 + +--- a/mercurial/sshrepo.py ++++ b/mercurial/sshrepo.py +@@ -20,6 +20,8 @@ class remotelock(object): + self.release() + + def _serverquote(s): ++ if not s: ++ return s + '''quote a string for the remote shell ... which we assume is sh''' + if re.match('[a-zA-Z0-9@%_+=:,./-]*$', s): + return s +@@ -44,7 +46,10 @@ class sshrepository(wireproto.wirereposi + sshcmd = self.ui.config("ui", "ssh", "ssh") + remotecmd = self.ui.config("ui", "remotecmd", "hg") + +- args = util.sshargs(sshcmd, self.host, self.user, self.port) ++ args = util.sshargs(sshcmd, ++ _serverquote(self.host), ++ _serverquote(self.user), ++ _serverquote(self.port)) + + if create: + cmd = '%s %s %s' % (sshcmd, args,
signature.asc
Description: Digital signature