DevHeads.net

mercurial CVEs - plan for f25 and f26 updates

Mercurial's symlink auditing was incomplete prior to 4.3, and could be
abused to write to files outside the repository.

CVE-2017-1000116:

Mercurial was not sanitizing hostnames passed to ssh, allowing shell
injection attacks by specifying a hostname starting with -oProxyCommand.

Currently we have:

hg thg
f25 3.8.1 3.8.3(f24)
f26 4.2 4.2.1

Mercurial upstream has provided fixed versions 4.3 and 4.2.3.

I propose that for f26 we update hg to 4.2.3, and together with thg 4.2.3
(currently latest is 4.2.2)

I propose for f25 to similarly update hg and thg to 4.2.3

Another package that requires mercurial and may be affected is hg-git.

Thoughts?

Comments

Re: mercurial CVEs - plan for f25 and f26 updates

By =?ISO-8859-2?Q?... at 08/14/2017 - 08:01

Hi Neal,
I missed that you wrote already here as I was working on fixes for
these CVEs for RHEL. I have pushed updates for F25+ already into the dist-git
(builds are pending for testing now). Except thg, which was completely
outside of my scope.

Just info for others:
hg for F26+ is rebased to v4.2.3
F25 contains backported patch

On 10.8.2017 20:30, Neal Becker wrote:
The hg-git shouldn't be affected by changes from 4.2.1 to 4.2.3.
(It is broken for mercurial-4.3+, but some patches are already prepared in upstream.)

Re: mercurial CVEs - plan for f25 and f26 updates

By Todd Zullinger at 08/10/2017 - 17:03

Neal Becker wrote:
For curious parties, git and subversion are also similarly vulnerable.
I have git builds in progress for f25, f26, and rawhide now.

I also forwarded the git announcement to the Red Hat security team.
They likely already know, but I don't see any tracker bugs in bugzilla
yet (for git's CVE anyway, CVE-2017-1000117).