mercurial CVEs - plan for f25 and f26 updates

Mercurial's symlink auditing was incomplete prior to 4.3, and could be
abused to write to files outside the repository.


Mercurial was not sanitizing hostnames passed to ssh, allowing shell
injection attacks by specifying a hostname starting with -oProxyCommand.

Currently we have:

hg thg
f25 3.8.1 3.8.3(f24)
f26 4.2 4.2.1

Mercurial upstream has provided fixed versions 4.3 and 4.2.3.

I propose that for f26 we update hg to 4.2.3, and together with thg 4.2.3
(currently latest is 4.2.2)

I propose for f25 to similarly update hg and thg to 4.2.3

Another package that requires mercurial and may be affected is hg-git.



Re: mercurial CVEs - plan for f25 and f26 updates

By =?ISO-8859-2?Q?... at 08/14/2017 - 09:01

Hi Neal,
I missed that you wrote already here as I was working on fixes for
these CVEs for RHEL. I have pushed updates for F25+ already into the dist-git
(builds are pending for testing now). Except thg, which was completely
outside of my scope.

Just info for others:
hg for F26+ is rebased to v4.2.3
F25 contains backported patch

On 10.8.2017 20:30, Neal Becker wrote:
The hg-git shouldn't be affected by changes from 4.2.1 to 4.2.3.
(It is broken for mercurial-4.3+, but some patches are already prepared in upstream.)

Re: mercurial CVEs - plan for f25 and f26 updates

By Todd Zullinger at 08/10/2017 - 18:03

Neal Becker wrote:
For curious parties, git and subversion are also similarly vulnerable.
I have git builds in progress for f25, f26, and rawhide now.

I also forwarded the git announcement to the Red Hat security team.
They likely already know, but I don't see any tracker bugs in bugzilla
yet (for git's CVE anyway, CVE-2017-1000117).