tags 500781 + patch thanks Hi Vincent, * Vincent Danjean <[EMAIL PROTECTED]> [2008-10-03 12:15]: > Steffen Joeris wrote: > > Hi, > > the following CVE (Common Vulnerabilities & Exposures) id was > > published for mercurial. > > > > CVE-2008-4297[0]: > > | Mercurial before 1.0.2 does not enforce the allowpull permission > > | setting for a pull operation from hgweb, which allows remote attackers > > | to read arbitrary files from a repository via an "hg pull" request. > > > > I am not sure about the severity of this issue, could you please > > investigate it? > > I saw it when mercurial 1.0.2 have been published. But I did not find any > specific changeset linked to this issue. If anyone (co-maintainer, user, ...) > can point me to the changeset, I can prepare a patch with it. I can also > package the whole 1.0.2 (I was waiting the lenny release to do it: RM > told me they would probably not accept this update without strong reasons > [1]). > But, I'm sorry to tell that I will not have enough free time now to > look more closely to this issue and to search into the mercurial development > tree until a few weeks (too much real work for now).
Attached is a patch for an NMU which fixes the issue. This is upstream changeset 6630:8542fac26f63. It is also archived on: http://people.debian.org/~nion/nmu-diff/mercurial-1.0.1-5_1.0.1-5.1.patch Feel free to upload yourself if you have the time. I also checked the diff between 1.0.1 and 1.0.2, 6630:8542fac26f63 is included in 1.0.2 however there is an additional changeset which is not (6779:d3147b4e3e8a) which centralizes the permission handling so not every command has to care about this themselve. Testing my patch with a repository that has allowpull = fase seems to work fine: hg clone http://bone/cgi-bin/hgwebdir.cgi/test destination directory: test requesting all changes abort: HTTP Error 500: Internal Server Error Of course the error message could be better... Cheers Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u mercurial-1.0.1/debian/changelog mercurial-1.0.1/debian/changelog --- mercurial-1.0.1/debian/changelog +++ mercurial-1.0.1/debian/changelog @@ -1,3 +1,11 @@ +mercurial (1.0.1-5.1) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Honor allowpull configuration setting from hgrc on a repository clone to + prevent information disclosure (CVE-2008-4297; Closes: #500781). + + -- Nico Golde <[EMAIL PROTECTED]> Fri, 03 Oct 2008 16:25:13 +0200 + mercurial (1.0.1-5) unstable; urgency=low * Fix debian/copyright (GPL-2 only and not GPL-2+) (Closes: #493967) diff -u mercurial-1.0.1/debian/patches/series mercurial-1.0.1/debian/patches/series --- mercurial-1.0.1/debian/patches/series +++ mercurial-1.0.1/debian/patches/series @@ -1,3 +1,4 @@ +CVE-2008-4297 proposed_upstream__python-module-not-script.patch proposed_upstream__extension_syntax.patch deb_specific__FAQ_subst.patch only in patch2: unchanged: --- mercurial-1.0.1.orig/debian/patches/CVE-2008-4297 +++ mercurial-1.0.1/debian/patches/CVE-2008-4297 @@ -0,0 +1,12 @@ +Index: mercurial-1.0.1/mercurial/hgweb/protocol.py +=================================================================== +--- mercurial-1.0.1.orig/mercurial/hgweb/protocol.py 2008-10-03 16:24:51.000000000 +0200 ++++ mercurial-1.0.1/mercurial/hgweb/protocol.py 2008-10-03 16:25:01.000000000 +0200 +@@ -224,5 +224,7 @@ + os.unlink(tempname) + + def stream_out(web, req): ++ if not web.allowpull: ++ return + req.respond(HTTP_OK, HGTYPE) + streamclone.stream_out(web.repo, req, untrusted=True)
pgpQChdWSWboE.pgp
Description: PGP signature
