Bug#783237: CVE-2014-9462
Hi Alessandro, On Sat, May 02, 2015 at 09:04:42AM +0100, Javi Merino wrote: On Fri, May 01, 2015 at 08:53:28PM +0200, Alessandro Ghedini wrote: On Fri, May 01, 2015 at 07:16:07PM +0100, Javi Merino wrote: On Fri, Apr 24, 2015 at 01:21:56PM +0200, Moritz Muehlenhoff wrote: Package: mercurial Severity: important Tags: security Please see http://chargen.matasano.com/chargen/2015/3/17/this-new-vulnerability-mercurial-command-injection-cve-2014-9462.html Fix: http://selenic.com/hg/rev/e3f30068d2eb [...] Also, the vulnerability seems to affect the wheezy version as well, could you please prepare an upload targeting wheezy-security as well? I've prepared an upload for wheezy-security, find the diff below. Can I upload it to security-master? Index: debian/changelog === --- debian/changelog(revisión: 11643) +++ debian/changelog(copia de trabajo) @@ -1,3 +1,11 @@ +mercurial (2.2.2-4+deb7u1) wheezy-security; urgency=high + + * Fix CVE-2014-9462 by adding patch +from_upstream__sshpeer_more_thorough_shell_quoting.patch (Closes: +#783237) + + -- Javi Merino vi...@debian.org Wed, 06 May 2015 08:09:26 +0100 + mercurial (2.2.2-4) stable; urgency=high * Security update for CVE-2014-9390: errors in handling case-sensitive Index: debian/patches/series === --- debian/patches/series (revisión: 11643) +++ debian/patches/series (copia de trabajo) @@ -14,3 +14,4 @@ from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch +from_upstream__sshpeer_more_thorough_shell_quoting.patch Index: debian/patches/from_upstream__sshpeer_more_thorough_shell_quoting.patch === --- debian/patches/from_upstream__sshpeer_more_thorough_shell_quoting.patch (revisión: 0) +++ debian/patches/from_upstream__sshpeer_more_thorough_shell_quoting.patch (revisión: 11901) @@ -0,0 +1,29 @@ +Origin: http://selenic.com/hg/rev/e3f30068d2eb +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783237 +Description: sshpeer: more thorough shell quoting + This fixes CVE-2014-9462 +Applied-Upstream: 3.2.4 + +--- a/mercurial/sshrepo.py b/mercurial/sshrepo.py +@@ -20,6 +20,8 @@ class remotelock(object): + self.release() + + def _serverquote(s): ++if not s: ++return s + '''quote a string for the remote shell ... which we assume is sh''' + if re.match('[a-zA-Z0-9@%_+=:,./-]*$', s): + return s +@@ -44,7 +46,10 @@ class sshrepository(wireproto.wirereposi + sshcmd = self.ui.config(ui, ssh, ssh) + remotecmd = self.ui.config(ui, remotecmd, hg) + +-args = util.sshargs(sshcmd, self.host, self.user, self.port) ++args = util.sshargs(sshcmd, ++_serverquote(self.host), ++_serverquote(self.user), ++_serverquote(self.port)) + + if create: + cmd = '%s %s %s' % (sshcmd, args, signature.asc Description: Digital signature
Bug#783237: CVE-2014-9462
On May/06, Javi Merino wrote: I've prepared an upload for wheezy-security, find the diff below. Can I upload it to security-master? It looks fine to me. This one will need -sa as well. Cheers, --Seb -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#783237: CVE-2014-9462
On Fri, May 01, 2015 at 08:53:28PM +0200, Alessandro Ghedini wrote: On Fri, May 01, 2015 at 07:16:07PM +0100, Javi Merino wrote: On Fri, Apr 24, 2015 at 01:21:56PM +0200, Moritz Muehlenhoff wrote: Package: mercurial Severity: important Tags: security Please see http://chargen.matasano.com/chargen/2015/3/17/this-new-vulnerability-mercurial-command-injection-cve-2014-9462.html Fix: http://selenic.com/hg/rev/e3f30068d2eb I've prepared a fix for this, find the diff attached. Can I upload it to stable-security? Index: debian/changelog === --- debian/changelog(revisión: 11645) +++ debian/changelog(copia de trabajo) @@ -1,3 +1,11 @@ +mercurial (3.1.2-2+deb8u1) stable-security; urgency=high Please use jessie-security instead of stable-security. Ok Otherwise the upload looks good. Once the above is fixed you can go ahead and upload to security-master. Remember to build the package with full upstream sources (dpkg-buildpackage -sa), since this would be the first upload to jessie-security for mercurial. Uploaded with full upstream sources. Also, the vulnerability seems to affect the wheezy version as well, could you please prepare an upload targeting wheezy-security as well? Sure, I'll do that soon. Cheers, Javi signature.asc Description: Digital signature
Bug#783237: CVE-2014-9462
On Fri, May 01, 2015 at 07:16:07PM +0100, Javi Merino wrote: On Fri, Apr 24, 2015 at 01:21:56PM +0200, Moritz Muehlenhoff wrote: Package: mercurial Severity: important Tags: security Please see http://chargen.matasano.com/chargen/2015/3/17/this-new-vulnerability-mercurial-command-injection-cve-2014-9462.html Fix: http://selenic.com/hg/rev/e3f30068d2eb I've prepared a fix for this, find the diff attached. Can I upload it to stable-security? Index: debian/changelog === --- debian/changelog (revisión: 11645) +++ debian/changelog (copia de trabajo) @@ -1,3 +1,11 @@ +mercurial (3.1.2-2+deb8u1) stable-security; urgency=high Please use jessie-security instead of stable-security. Otherwise the upload looks good. Once the above is fixed you can go ahead and upload to security-master. Remember to build the package with full upstream sources (dpkg-buildpackage -sa), since this would be the first upload to jessie-security for mercurial. Also, the vulnerability seems to affect the wheezy version as well, could you please prepare an upload targeting wheezy-security as well? Thanks for your help. Cheers signature.asc Description: Digital signature
Bug#783237: CVE-2014-9462
On Fri, Apr 24, 2015 at 01:21:56PM +0200, Moritz Muehlenhoff wrote: Package: mercurial Severity: important Tags: security Please see http://chargen.matasano.com/chargen/2015/3/17/this-new-vulnerability-mercurial-command-injection-cve-2014-9462.html Fix: http://selenic.com/hg/rev/e3f30068d2eb I've prepared a fix for this, find the diff attached. Can I upload it to stable-security? Cheers, Javi Index: debian/changelog === --- debian/changelog (revisión: 11645) +++ debian/changelog (copia de trabajo) @@ -1,3 +1,11 @@ +mercurial (3.1.2-2+deb8u1) stable-security; urgency=high + + * Fix CVE-2014-9462 by adding patch +from_upstream__sshpeer_more_thorough_shell_quoting.patch +(Closes: #783237) + + -- Javi Merino vi...@debian.org Fri, 01 May 2015 19:14:56 +0100 + mercurial (3.1.2-2) unstable; urgency=high * Fix CVE-2014-9390: Errors in handling case-sensitive directories Index: debian/patches/series === --- debian/patches/series (revisión: 11645) +++ debian/patches/series (copia de trabajo) @@ -12,3 +12,4 @@ from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch +from_upstream__sshpeer_more_thorough_shell_quoting.patch Index: debian/patches/from_upstream__sshpeer_more_thorough_shell_quoting.patch === --- debian/patches/from_upstream__sshpeer_more_thorough_shell_quoting.patch (revisión: 0) +++ debian/patches/from_upstream__sshpeer_more_thorough_shell_quoting.patch (revisión: 11887) @@ -0,0 +1,31 @@ +Origin: http://selenic.com/hg/rev/e3f30068d2eb +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783237 +Description: sshpeer: more thorough shell quoting + This fixes CVE-2014-9462 +Applied-Upstream: 3.2.4 + +diff --git a/mercurial/sshpeer.py b/mercurial/sshpeer.py +--- a/mercurial/sshpeer.py b/mercurial/sshpeer.py +@@ -20,6 +20,8 @@ class remotelock(object): + self.release() + + def _serverquote(s): ++if not s: ++return s + '''quote a string for the remote shell ... which we assume is sh''' + if re.match('[a-zA-Z0-9@%_+=:,./-]*$', s): + return s +@@ -45,7 +47,10 @@ class sshpeer(wireproto.wirepeer): + sshcmd = self.ui.config(ui, ssh, ssh) + remotecmd = self.ui.config(ui, remotecmd, hg) + +-args = util.sshargs(sshcmd, self.host, self.user, self.port) ++args = util.sshargs(sshcmd, ++_serverquote(self.host), ++_serverquote(self.user), ++_serverquote(self.port)) + + if create: + cmd = '%s %s %s' % (sshcmd, args, + signature.asc Description: Digital signature
Bug#783237: CVE-2014-9462
Package: mercurial Severity: important Tags: security Please see http://chargen.matasano.com/chargen/2015/3/17/this-new-vulnerability-mercurial-command-injection-cve-2014-9462.html Fix: http://selenic.com/hg/rev/e3f30068d2eb Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org