Bug#783237: CVE-2014-9462
Hi Alessandro,
On Sat, May 02, 2015 at 09:04:42AM +0100, Javi Merino wrote:
On Fri, May 01, 2015 at 08:53:28PM +0200, Alessandro Ghedini wrote:
On Fri, May 01, 2015 at 07:16:07PM +0100, Javi Merino wrote:
On Fri, Apr 24, 2015 at 01:21:56PM +0200, Moritz Muehlenhoff wrote:
Package: mercurial
Severity: important
Tags: security
Please see
http://chargen.matasano.com/chargen/2015/3/17/this-new-vulnerability-mercurial-command-injection-cve-2014-9462.html
Fix:
http://selenic.com/hg/rev/e3f30068d2eb
[...]
Also, the vulnerability seems to affect the wheezy version as well, could
you
please prepare an upload targeting wheezy-security as well?
I've prepared an upload for wheezy-security, find the diff below. Can
I upload it to security-master?
Index: debian/changelog
===
--- debian/changelog(revisión: 11643)
+++ debian/changelog(copia de trabajo)
@@ -1,3 +1,11 @@
+mercurial (2.2.2-4+deb7u1) wheezy-security; urgency=high
+
+ * Fix CVE-2014-9462 by adding patch
+from_upstream__sshpeer_more_thorough_shell_quoting.patch (Closes:
+#783237)
+
+ -- Javi Merino vi...@debian.org Wed, 06 May 2015 08:09:26 +0100
+
mercurial (2.2.2-4) stable; urgency=high
* Security update for CVE-2014-9390: errors in handling case-sensitive
Index: debian/patches/series
===
--- debian/patches/series (revisión: 11643)
+++ debian/patches/series (copia de trabajo)
@@ -14,3 +14,4 @@
from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch
from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch
from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch
+from_upstream__sshpeer_more_thorough_shell_quoting.patch
Index: debian/patches/from_upstream__sshpeer_more_thorough_shell_quoting.patch
===
--- debian/patches/from_upstream__sshpeer_more_thorough_shell_quoting.patch
(revisión: 0)
+++ debian/patches/from_upstream__sshpeer_more_thorough_shell_quoting.patch
(revisión: 11901)
@@ -0,0 +1,29 @@
+Origin: http://selenic.com/hg/rev/e3f30068d2eb
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783237
+Description: sshpeer: more thorough shell quoting
+ This fixes CVE-2014-9462
+Applied-Upstream: 3.2.4
+
+--- a/mercurial/sshrepo.py
b/mercurial/sshrepo.py
+@@ -20,6 +20,8 @@ class remotelock(object):
+ self.release()
+
+ def _serverquote(s):
++if not s:
++return s
+ '''quote a string for the remote shell ... which we assume is sh'''
+ if re.match('[a-zA-Z0-9@%_+=:,./-]*$', s):
+ return s
+@@ -44,7 +46,10 @@ class sshrepository(wireproto.wirereposi
+ sshcmd = self.ui.config(ui, ssh, ssh)
+ remotecmd = self.ui.config(ui, remotecmd, hg)
+
+-args = util.sshargs(sshcmd, self.host, self.user, self.port)
++args = util.sshargs(sshcmd,
++_serverquote(self.host),
++_serverquote(self.user),
++_serverquote(self.port))
+
+ if create:
+ cmd = '%s %s %s' % (sshcmd, args,
signature.asc
Description: Digital signature
Bug#783237: CVE-2014-9462
On May/06, Javi Merino wrote: I've prepared an upload for wheezy-security, find the diff below. Can I upload it to security-master? It looks fine to me. This one will need -sa as well. Cheers, --Seb -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#783237: CVE-2014-9462
On Fri, May 01, 2015 at 08:53:28PM +0200, Alessandro Ghedini wrote: On Fri, May 01, 2015 at 07:16:07PM +0100, Javi Merino wrote: On Fri, Apr 24, 2015 at 01:21:56PM +0200, Moritz Muehlenhoff wrote: Package: mercurial Severity: important Tags: security Please see http://chargen.matasano.com/chargen/2015/3/17/this-new-vulnerability-mercurial-command-injection-cve-2014-9462.html Fix: http://selenic.com/hg/rev/e3f30068d2eb I've prepared a fix for this, find the diff attached. Can I upload it to stable-security? Index: debian/changelog === --- debian/changelog(revisión: 11645) +++ debian/changelog(copia de trabajo) @@ -1,3 +1,11 @@ +mercurial (3.1.2-2+deb8u1) stable-security; urgency=high Please use jessie-security instead of stable-security. Ok Otherwise the upload looks good. Once the above is fixed you can go ahead and upload to security-master. Remember to build the package with full upstream sources (dpkg-buildpackage -sa), since this would be the first upload to jessie-security for mercurial. Uploaded with full upstream sources. Also, the vulnerability seems to affect the wheezy version as well, could you please prepare an upload targeting wheezy-security as well? Sure, I'll do that soon. Cheers, Javi signature.asc Description: Digital signature
Bug#783237: CVE-2014-9462
On Fri, May 01, 2015 at 07:16:07PM +0100, Javi Merino wrote: On Fri, Apr 24, 2015 at 01:21:56PM +0200, Moritz Muehlenhoff wrote: Package: mercurial Severity: important Tags: security Please see http://chargen.matasano.com/chargen/2015/3/17/this-new-vulnerability-mercurial-command-injection-cve-2014-9462.html Fix: http://selenic.com/hg/rev/e3f30068d2eb I've prepared a fix for this, find the diff attached. Can I upload it to stable-security? Index: debian/changelog === --- debian/changelog (revisión: 11645) +++ debian/changelog (copia de trabajo) @@ -1,3 +1,11 @@ +mercurial (3.1.2-2+deb8u1) stable-security; urgency=high Please use jessie-security instead of stable-security. Otherwise the upload looks good. Once the above is fixed you can go ahead and upload to security-master. Remember to build the package with full upstream sources (dpkg-buildpackage -sa), since this would be the first upload to jessie-security for mercurial. Also, the vulnerability seems to affect the wheezy version as well, could you please prepare an upload targeting wheezy-security as well? Thanks for your help. Cheers signature.asc Description: Digital signature
Bug#783237: CVE-2014-9462
On Fri, Apr 24, 2015 at 01:21:56PM +0200, Moritz Muehlenhoff wrote:
Package: mercurial
Severity: important
Tags: security
Please see
http://chargen.matasano.com/chargen/2015/3/17/this-new-vulnerability-mercurial-command-injection-cve-2014-9462.html
Fix:
http://selenic.com/hg/rev/e3f30068d2eb
I've prepared a fix for this, find the diff attached. Can I upload it
to stable-security?
Cheers,
Javi
Index: debian/changelog
===
--- debian/changelog (revisión: 11645)
+++ debian/changelog (copia de trabajo)
@@ -1,3 +1,11 @@
+mercurial (3.1.2-2+deb8u1) stable-security; urgency=high
+
+ * Fix CVE-2014-9462 by adding patch
+from_upstream__sshpeer_more_thorough_shell_quoting.patch
+(Closes: #783237)
+
+ -- Javi Merino vi...@debian.org Fri, 01 May 2015 19:14:56 +0100
+
mercurial (3.1.2-2) unstable; urgency=high
* Fix CVE-2014-9390: Errors in handling case-sensitive directories
Index: debian/patches/series
===
--- debian/patches/series (revisión: 11645)
+++ debian/patches/series (copia de trabajo)
@@ -12,3 +12,4 @@
from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch
from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch
from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch
+from_upstream__sshpeer_more_thorough_shell_quoting.patch
Index: debian/patches/from_upstream__sshpeer_more_thorough_shell_quoting.patch
===
--- debian/patches/from_upstream__sshpeer_more_thorough_shell_quoting.patch (revisión: 0)
+++ debian/patches/from_upstream__sshpeer_more_thorough_shell_quoting.patch (revisión: 11887)
@@ -0,0 +1,31 @@
+Origin: http://selenic.com/hg/rev/e3f30068d2eb
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783237
+Description: sshpeer: more thorough shell quoting
+ This fixes CVE-2014-9462
+Applied-Upstream: 3.2.4
+
+diff --git a/mercurial/sshpeer.py b/mercurial/sshpeer.py
+--- a/mercurial/sshpeer.py
b/mercurial/sshpeer.py
+@@ -20,6 +20,8 @@ class remotelock(object):
+ self.release()
+
+ def _serverquote(s):
++if not s:
++return s
+ '''quote a string for the remote shell ... which we assume is sh'''
+ if re.match('[a-zA-Z0-9@%_+=:,./-]*$', s):
+ return s
+@@ -45,7 +47,10 @@ class sshpeer(wireproto.wirepeer):
+ sshcmd = self.ui.config(ui, ssh, ssh)
+ remotecmd = self.ui.config(ui, remotecmd, hg)
+
+-args = util.sshargs(sshcmd, self.host, self.user, self.port)
++args = util.sshargs(sshcmd,
++_serverquote(self.host),
++_serverquote(self.user),
++_serverquote(self.port))
+
+ if create:
+ cmd = '%s %s %s' % (sshcmd, args,
+
signature.asc
Description: Digital signature
Bug#783237: CVE-2014-9462
Package: mercurial Severity: important Tags: security Please see http://chargen.matasano.com/chargen/2015/3/17/this-new-vulnerability-mercurial-command-injection-cve-2014-9462.html Fix: http://selenic.com/hg/rev/e3f30068d2eb Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
