On 11/08/2017 10:20 PM, Zhixiong Chi wrote: > * Upgrade to the latest release to fix some CVEs: > - CVE-2017-1000115: missing symlink check that can malicious repositories > to modify files outside the repository > - CVE-2017-1000116: did not adequately sanitize hostnames passed to ssh, > leading to possible shell-injection attacks. > > * For other changes please see: https://www.mercurial-scm.org/wiki/WhatsNew > > * Update SRC_URI with the new download link > > Signed-off-by: Zhixiong Chi <[email protected]> > --- > .../mercurial/files/mercurial-CVE-2017-9462.patch | 135 > --------------------- > .../mercurial/mercurial-native_4.0.1.bb | 28 ----- > .../mercurial/mercurial-native_4.4.1.bb | 27 +++++ 4.4 was already in the pipe line and is in master. If you still want 4.4.1, please rebase and resend
- armin > 3 files changed, 27 insertions(+), 163 deletions(-) > delete mode 100644 > meta-oe/recipes-devtools/mercurial/files/mercurial-CVE-2017-9462.patch > delete mode 100644 > meta-oe/recipes-devtools/mercurial/mercurial-native_4.0.1.bb > create mode 100644 > meta-oe/recipes-devtools/mercurial/mercurial-native_4.4.1.bb > > diff --git > a/meta-oe/recipes-devtools/mercurial/files/mercurial-CVE-2017-9462.patch > b/meta-oe/recipes-devtools/mercurial/files/mercurial-CVE-2017-9462.patch > deleted file mode 100644 > index 3564661..0000000 > --- a/meta-oe/recipes-devtools/mercurial/files/mercurial-CVE-2017-9462.patch > +++ /dev/null > @@ -1,135 +0,0 @@ > -# HG changeset patch > -# User Augie Fackler <[email protected]> > -# Date 1492021435 25200 > -# Wed Apr 12 11:23:55 2017 -0700 > -# Branch stable > -# Node ID 77eaf9539499a1b8be259ffe7ada787d07857f80 > -# Parent 68f263f52d2e3e2798b4f1e55cb665c6b043f93b > -dispatch: protect against malicious 'hg serve --stdio' invocations (sec) > - > -Some shared-ssh installations assume that 'hg serve --stdio' is a safe > -command to run for minimally trusted users. Unfortunately, the messy > -implementation of argument parsing here meant that trying to access a > -repo named '--debugger' would give the user a pdb prompt, thereby > -sidestepping any hoped-for sandboxing. Serving repositories over HTTP(S) > -is unaffected. > - > -We're not currently hardening any subcommands other than 'serve'. If > -your service exposes other commands to users with arbitrary repository > -names, it is imperative that you defend against repository names of > -'--debugger' and anything starting with '--config'. > - > -The read-only mode of hg-ssh stopped working because it provided its hook > -configuration to "hg serve --stdio" via --config parameter. This is banned > for > -security reasons now. This patch switches it to directly call ui.setconfig(). > -If your custom hosting infrastructure relies on passing --config to > -"hg serve --stdio", you'll need to find a different way to get that > configuration > -into Mercurial, either by using ui.setconfig() as hg-ssh does in this patch, > -or by placing an hgrc file someplace where Mercurial will read it. > - > [email protected] provided some extra fixes for the dispatch code and > -for hg-ssh in places that I overlooked. > - > -CVE: CVE-2017-9462 > - > -Upstream-Status: Backport > - > -diff --git a/contrib/hg-ssh b/contrib/hg-ssh > ---- a/contrib/hg-ssh > -+++ b/contrib/hg-ssh > -@@ -32,7 +32,7 @@ > - # enable importing on demand to reduce startup time > - from mercurial import demandimport; demandimport.enable() > - > --from mercurial import dispatch > -+from mercurial import dispatch, ui as uimod > - > - import sys, os, shlex > - > -@@ -61,14 +61,15 @@ > - repo = os.path.normpath(os.path.join(cwd, os.path.expanduser(path))) > - if repo in allowed_paths: > - cmd = ['-R', repo, 'serve', '--stdio'] > -+ req = dispatch.request(cmd) > - if readonly: > -- cmd += [ > -- '--config', > -- 'hooks.pretxnopen.hg-ssh=python:__main__.rejectpush', > -- '--config', > -- 'hooks.prepushkey.hg-ssh=python:__main__.rejectpush' > -- ] > -- dispatch.dispatch(dispatch.request(cmd)) > -+ if not req.ui: > -+ req.ui = uimod.ui.load() > -+ req.ui.setconfig('hooks', 'pretxnopen.hg-ssh', > -+ 'python:__main__.rejectpush', 'hg-ssh') > -+ req.ui.setconfig('hooks', 'prepushkey.hg-ssh', > -+ 'python:__main__.rejectpush', 'hg-ssh') > -+ dispatch.dispatch(req) > - else: > - sys.stderr.write('Illegal repository "%s"\n' % repo) > - sys.exit(255) > -diff --git a/mercurial/dispatch.py b/mercurial/dispatch.py > ---- a/mercurial/dispatch.py > -+++ b/mercurial/dispatch.py > -@@ -155,6 +155,37 @@ > - pass # happens if called in a thread > - > - def _runcatchfunc(): > -+ realcmd = None > -+ try: > -+ cmdargs = fancyopts.fancyopts(req.args[:], commands.globalopts, > {}) > -+ cmd = cmdargs[0] > -+ aliases, entry = cmdutil.findcmd(cmd, commands.table, False) > -+ realcmd = aliases[0] > -+ except (error.UnknownCommand, error.AmbiguousCommand, > -+ IndexError, getopt.GetoptError): > -+ # Don't handle this here. We know the command is > -+ # invalid, but all we're worried about for now is that > -+ # it's not a command that server operators expect to > -+ # be safe to offer to users in a sandbox. > -+ pass > -+ if realcmd == 'serve' and '--stdio' in cmdargs: > -+ # We want to constrain 'hg serve --stdio' instances pretty > -+ # closely, as many shared-ssh access tools want to grant > -+ # access to run *only* 'hg -R $repo serve --stdio'. We > -+ # restrict to exactly that set of arguments, and prohibit > -+ # any repo name that starts with '--' to prevent > -+ # shenanigans wherein a user does something like pass > -+ # --debugger or --config=ui.debugger=1 as a repo > -+ # name. This used to actually run the debugger. > -+ if (len(req.args) != 4 or > -+ req.args[0] != '-R' or > -+ req.args[1].startswith('--') or > -+ req.args[2] != 'serve' or > -+ req.args[3] != '--stdio'): > -+ raise error.Abort( > -+ _('potentially unsafe serve --stdio invocation: %r') % > -+ (req.args,)) > -+ > - try: > - debugger = 'pdb' > - debugtrace = { > -diff --git a/tests/test-ssh.t b/tests/test-ssh.t > ---- a/tests/test-ssh.t > -+++ b/tests/test-ssh.t > -@@ -357,6 +357,19 @@ > - abort: destination 'a repo' is not empty > - [255] > - > -+Make sure hg is really paranoid in serve --stdio mode. It used to be > -+possible to get a debugger REPL by specifying a repo named --debugger. > -+ $ hg -R --debugger serve --stdio > -+ abort: potentially unsafe serve --stdio invocation: ['-R', '--debugger', > 'serve', '--stdio'] > -+ [255] > -+ $ hg -R --config=ui.debugger=yes serve --stdio > -+ abort: potentially unsafe serve --stdio invocation: ['-R', > '--config=ui.debugger=yes', 'serve', '--stdio'] > -+ [255] > -+Abbreviations of 'serve' also don't work, to avoid shenanigans. > -+ $ hg -R narf serv --stdio > -+ abort: potentially unsafe serve --stdio invocation: ['-R', 'narf', > 'serv', '--stdio'] > -+ [255] > -+ > - Test hg-ssh using a helper script that will restore PYTHONPATH (which might > - have been cleared by a hg.exe wrapper) and invoke hg-ssh with the right > - parameters: > diff --git a/meta-oe/recipes-devtools/mercurial/mercurial-native_4.0.1.bb > b/meta-oe/recipes-devtools/mercurial/mercurial-native_4.0.1.bb > deleted file mode 100644 > index a08acd9..0000000 > --- a/meta-oe/recipes-devtools/mercurial/mercurial-native_4.0.1.bb > +++ /dev/null > @@ -1,28 +0,0 @@ > -SUMMARY = "The Mercurial distributed SCM" > -HOMEPAGE = "http://mercurial.selenic.com/"; > -SECTION = "console/utils" > -LICENSE = "GPLv2" > -LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" > -DEPENDS = "python-native" > - > -SRC_URI = "https://www.mercurial-scm.org/release/${BP}.tar.gz \ > - file://mercurial-CVE-2017-9462.patch \ > -" > -SRC_URI[md5sum] = "22a9b1d7c0c06a53f0ae5b386d536d08" > -SRC_URI[sha256sum] = > "6aa4ade93c1b5e11937820880a466ebf1c824086d443cd799fc46e2617250d40" > - > -S = "${WORKDIR}/mercurial-${PV}" > - > -inherit native > - > -EXTRA_OEMAKE = "STAGING_LIBDIR=${STAGING_LIBDIR} > STAGING_INCDIR=${STAGING_INCDIR} \ > - PREFIX=${prefix}" > - > -do_configure_append () { > - sed -i -e > 's:PYTHON=python:PYTHON=${STAGING_BINDIR_NATIVE}/python-native/python:g' > ${S}/Makefile > -} > - > -do_install () { > - oe_runmake -e install-bin DESTDIR=${D} PREFIX=${prefix} > -} > - > diff --git a/meta-oe/recipes-devtools/mercurial/mercurial-native_4.4.1.bb > b/meta-oe/recipes-devtools/mercurial/mercurial-native_4.4.1.bb > new file mode 100644 > index 0000000..db2f3c4 > --- /dev/null > +++ b/meta-oe/recipes-devtools/mercurial/mercurial-native_4.4.1.bb > @@ -0,0 +1,27 @@ > +SUMMARY = "The Mercurial distributed SCM" > +HOMEPAGE = "http://mercurial.selenic.com/"; > +SECTION = "console/utils" > +LICENSE = "GPLv2" > +LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" > +DEPENDS = "python-native" > + > +SRC_URI = "https://www.mercurial-scm.org/release/${BP}.tar.gz \ > +" > +SRC_URI[md5sum] = "37974a416d1d9525e1375c92025b16d9" > +SRC_URI[sha256sum] = > "8f2a5512d6cc2ffb08988aef639330a2f0378e4ac3ee0e1fbbdb64d9fff56246" > + > +S = "${WORKDIR}/mercurial-${PV}" > + > +inherit native > + > +EXTRA_OEMAKE = "STAGING_LIBDIR=${STAGING_LIBDIR} > STAGING_INCDIR=${STAGING_INCDIR} \ > + PREFIX=${prefix}" > + > +do_configure_append () { > + sed -i -e > 's:PYTHON=python:PYTHON=${STAGING_BINDIR_NATIVE}/python-native/python:g' > ${S}/Makefile > +} > + > +do_install () { > + oe_runmake -e install-bin DESTDIR=${D} PREFIX=${prefix} > +} > + -- _______________________________________________ Openembedded-devel mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-devel
