Package: release.debian.org Severity: normal Tags: wheezy User: release.debian....@packages.debian.org Usertags: pu
mercurial in wheezy is affected by CVE-2014-9390[0] (Errors in handling case-sensitive directories allow for remote code execution on pull). The security team says that few users are affected by it as it only affects you if you are running on a case-sensitive filesystem. They say it should go through stable-proposed-updates. Upstream has said that three patches[1] need to be backported to fix it. I've done it for wheezy and prepared an upload, see the attached debdiff against the current version in wheezy: 2.2.2-3. [0] https://security-tracker.debian.org/tracker/CVE-2014-9390 [1] http://selenic.com/pipermail/mercurial-packaging/2014-December/000133.html -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru mercurial-2.2.2/debian/changelog mercurial-2.2.2/debian/changelog --- mercurial-2.2.2/debian/changelog 2013-02-23 20:53:41.000000000 +0100 +++ mercurial-2.2.2/debian/changelog 2014-12-23 12:42:25.000000000 +0100 @@ -1,3 +1,10 @@ +mercurial (2.2.2-4) stable; urgency=high + + * Security update for CVE-2014-9390: errors in handling case-sensitive + directories allow for remote code execution on pull. + + -- Javi Merino <vi...@debian.org> Tue, 23 Dec 2014 12:42:20 +0100 + mercurial (2.2.2-3) unstable; urgency=low * Fix "Backport improvement to vimdiff configuration" by adding diff -Nru mercurial-2.2.2/debian/patches/from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch mercurial-2.2.2/debian/patches/from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch --- mercurial-2.2.2/debian/patches/from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch 1970-01-01 01:00:00.000000000 +0100 +++ mercurial-2.2.2/debian/patches/from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch 2014-12-23 10:33:58.000000000 +0100 @@ -0,0 +1,43 @@ +Origin: http://selenic.com/repo/hg-stable/rev/885bd7c5c7e3 +Description: encoding: add hfsignoreclean to clean out HFS-ignored characters + According to Apple Technote 1150 (unavailable from Apple as far as I + can tell, but archived in several places online), HFS+ ignores sixteen + specific unicode runes when doing path normalization. We need to + handle those cases, so this function lets us efficiently strip the + offending characters from a UTF-8 encoded string (which is the only + way it seems to matter on OS X.) + . + This is a fix for CVE-2014-9390 +Applied-Upstream: 3.2.3 + +--- a/mercurial/encoding.py ++++ b/mercurial/encoding.py +@@ -8,6 +8,28 @@ + import error + import unicodedata, locale, os + ++# These unicode characters are ignored by HFS+ (Apple Technote 1150, ++# "Unicode Subtleties"), so we need to ignore them in some places for ++# sanity. ++_ignore = [unichr(int(x, 16)).encode("utf-8") for x in ++ "200c 200d 200e 200f 202a 202b 202c 202d 202e " ++ "206a 206b 206c 206d 206e 206f feff".split()] ++# verify the next function will work ++assert set([i[0] for i in _ignore]) == set(["\xe2", "\xef"]) ++ ++def hfsignoreclean(s): ++ """Remove codepoints ignored by HFS+ from s. ++ ++ >>> hfsignoreclean(u'.h\u200cg'.encode('utf-8')) ++ '.hg' ++ >>> hfsignoreclean(u'.h\ufeffg'.encode('utf-8')) ++ '.hg' ++ """ ++ if "\xe2" in s or "\xef" in s: ++ for c in _ignore: ++ s = s.replace(c, '') ++ return s ++ + def _getpreferredencoding(): + ''' + On darwin, getpreferredencoding ignores the locale environment and diff -Nru mercurial-2.2.2/debian/patches/from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch mercurial-2.2.2/debian/patches/from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch --- mercurial-2.2.2/debian/patches/from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch 1970-01-01 01:00:00.000000000 +0100 +++ mercurial-2.2.2/debian/patches/from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch 2014-12-23 10:33:58.000000000 +0100 @@ -0,0 +1,59 @@ +Origin: http://selenic.com/repo/hg-stable/rev/c02a05cc6f5e +Description: pathauditor: check for codepoints ignored on OS X + This is a fix for CVE-2014-9390 +Applied-Upstream: 3.2.3 + +--- a/tests/test-commit.t ++++ b/tests/test-commit.t +@@ -216,7 +216,23 @@ subdir log + summary: commit-foo-subdir + + $ cd .. +- $ cd .. ++ ++verify pathauditor blocks evil filepaths ++ $ cat > evil-commit.py <<EOF ++ > from mercurial import ui, hg, context, node ++ > notrc = u".h\u200cg".encode('utf-8') + '/hgrc' ++ > u = ui.ui() ++ > r = hg.repository(u, '.') ++ > def filectxfn(repo, memctx, path): ++ > return context.memfilectx(path, '[hooks]\nupdate = echo owned') ++ > c = context.memctx(r, [r['tip'].node(), node.nullid], ++ > 'evil', [notrc], filectxfn, 0) ++ > r.commitctx(c) ++ > EOF ++ $ $PYTHON evil-commit.py ++ $ hg co --clean tip ++ abort: path contains illegal component: .h\xe2\x80\x8cg/hgrc (esc) ++ [255] + + Issue1049: Hg permits partial commit of merge without warning + +--- a/mercurial/scmutil.py ++++ b/mercurial/scmutil.py +@@ -10,6 +10,9 @@ import util, error, osutil, revset, simi + import match as matchmod + import os, errno, re, stat, sys, glob + ++def _lowerclean(s): ++ return encoding.hfsignoreclean(s.lower()) ++ + def nochangesfound(ui, secretlist=None): + '''report no changes for push/pull''' + if secretlist: +@@ -102,11 +105,11 @@ class pathauditor(object): + raise util.Abort(_("path ends in directory separator: %s") % path) + parts = util.splitpath(path) + if (os.path.splitdrive(path)[0] +- or parts[0].lower() in ('.hg', '.hg.', '') ++ or _lowerclean(parts[0]) in ('.hg', '.hg.', '') + or os.pardir in parts): + raise util.Abort(_("path contains illegal component: %s") % path) +- if '.hg' in path.lower(): +- lparts = [p.lower() for p in parts] ++ if '.hg' in _lowerclean(path): ++ lparts = [_lowerclean(p.lower()) for p in parts] + for p in '.hg', '.hg.': + if p in lparts[1:]: + pos = lparts.index(p) diff -Nru mercurial-2.2.2/debian/patches/from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch mercurial-2.2.2/debian/patches/from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch --- mercurial-2.2.2/debian/patches/from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch 1970-01-01 01:00:00.000000000 +0100 +++ mercurial-2.2.2/debian/patches/from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch 2014-12-23 10:33:58.000000000 +0100 @@ -0,0 +1,66 @@ +Origin: http://selenic.com/repo/hg-stable/rev/6dad422ecc5a +Description: pathauditor: check for Windows shortname aliases + This is a fix for CVE-2014-9390 +Applied-Upstream: 3.2.3 + +--- a/tests/test-commit.t ++++ b/tests/test-commit.t +@@ -234,6 +234,42 @@ verify pathauditor blocks evil filepaths + abort: path contains illegal component: .h\xe2\x80\x8cg/hgrc (esc) + [255] + ++ $ hg rollback -f ++ repository tip rolled back to revision 1 (undo commit) ++ $ cat > evil-commit.py <<EOF ++ > from mercurial import ui, hg, context, node ++ > notrc = "HG~1/hgrc" ++ > u = ui.ui() ++ > r = hg.repository(u, '.') ++ > def filectxfn(repo, memctx, path): ++ > return context.memfilectx(path, '[hooks]\nupdate = echo owned') ++ > c = context.memctx(r, [r['tip'].node(), node.nullid], ++ > 'evil', [notrc], filectxfn, 0) ++ > r.commitctx(c) ++ > EOF ++ $ $PYTHON evil-commit.py ++ $ hg co --clean tip ++ abort: path contains illegal component: HG~1/hgrc ++ [255] ++ ++ $ hg rollback -f ++ repository tip rolled back to revision 1 (undo commit) ++ $ cat > evil-commit.py <<EOF ++ > from mercurial import ui, hg, context, node ++ > notrc = "HG8B6C~2/hgrc" ++ > u = ui.ui() ++ > r = hg.repository(u, '.') ++ > def filectxfn(repo, memctx, path): ++ > return context.memfilectx(path, '[hooks]\nupdate = echo owned') ++ > c = context.memctx(r, [r['tip'].node(), node.nullid], ++ > 'evil', [notrc], filectxfn, 0) ++ > r.commitctx(c) ++ > EOF ++ $ $PYTHON evil-commit.py ++ $ hg co --clean tip ++ abort: path contains illegal component: HG8B6C~2/hgrc ++ [255] ++ + Issue1049: Hg permits partial commit of merge without warning + + $ cd .. +--- a/mercurial/scmutil.py ++++ b/mercurial/scmutil.py +@@ -108,6 +108,13 @@ class pathauditor(object): + or _lowerclean(parts[0]) in ('.hg', '.hg.', '') + or os.pardir in parts): + raise util.Abort(_("path contains illegal component: %s") % path) ++ # Windows shortname aliases ++ for p in parts: ++ if "~" in p: ++ first, last = p.split("~", 1) ++ if last.isdigit() and first.upper() in ["HG", "HG8B6C"]: ++ raise util.Abort(_("path contains illegal component: %s") ++ % path) + if '.hg' in _lowerclean(path): + lparts = [_lowerclean(p.lower()) for p in parts] + for p in '.hg', '.hg.': diff -Nru mercurial-2.2.2/debian/patches/series mercurial-2.2.2/debian/patches/series --- mercurial-2.2.2/debian/patches/series 2013-02-23 20:31:52.000000000 +0100 +++ mercurial-2.2.2/debian/patches/series 2014-12-23 10:33:58.000000000 +0100 @@ -11,3 +11,6 @@ from_upstream__set_vimdiff_to_check_changed.patch from_upstream__mergetools_vimdiff_issue_warning.patch from_upstream__mergetools_refine_vimdiff_warning_message.patch +from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch +from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch +from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch