stable

mercurial-3.5.2-1.fc23

FEDORA-2016-b7f1f8e3bf created by kiilerix 8 years ago for Fedora 23

Security fix for CVE-2016-3630, CVE-2016-3068, CVE-2016-3069 and minor upgrade

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2016-b7f1f8e3bf

This update has been submitted for testing by kiilerix.

8 years ago

This update has been pushed to testing.

8 years ago
User Icon filiperosset commented & provided feedback 8 years ago
karma

no regressions noted

User Icon anonymous commented & provided feedback 8 years ago

Running

`hg clone https://selenic.com/repo/hg/; cd hg/tests/; python2 run-tests.py --with-hg=/usr/bin/hg test-revlog.t test-subrepo-git.t test-convert-git.t

with mercurial-3.5.1-1.fc23.x86_64 installed results in output ultimately saying

--- /dev/shm/hg/tests/test-subrepo-git.t
+++ /dev/shm/hg/tests/test-subrepo-git.t.err
[...]
@@ -1147,7 +1148,11 @@
   $ cd ..
   $ env -u GIT_ALLOW_PROTOCOL hg clone malicious-subrepository malicious-subrepository-protected
   Cloning into '$TESTTMP/tc/malicious-subrepository-protected/s'...
-  fatal: transport 'ext' not allowed
+  pwned
+  fatal: Could not read from remote repository.
+  
+  Please make sure you have the correct access rights
+  and the repository exists.
   updating to branch default
   cloning subrepo s from ext::sh -c echo% pwned% >&2
   abort: git clone error 128 in s (in subrepo s)
--- /dev/shm/hg/tests/test-convert-git.t
+++ /dev/shm/hg/tests/test-convert-git.t.err
[...]
@@ -743,6 +744,6 @@
   sorting...
   converting...
   0 empty
-  updating bookmarks
+  abort: cannot read tags from `echo pwned >COMMAND-INJECTION`/.git
+  [255]
   $ test -f COMMAND-INJECTION
-  [1]

ERROR: test-convert-git.t output changed
!*** Error in `/usr/bin/python': free(): invalid next size (fast): 0x00005589786ce930 ***
======= Backtrace: =========
[...]
--- /dev/shm/hg/tests/test-revlog.t
+++ /dev/shm/hg/tests/test-revlog.t.err
@@ -12,4 +12,4 @@
        0         0      19     -1       2 99e0332bd498 000000000000 000000000000
        1        19      12      0       3 6674f57a23d8 99e0332bd498 000000000000
   $ hg debugdata a.i 1 2>&1 | grep decoded
-  mpatch.mpatchError: patch cannot be decoded
+  [1]

Repeating the above with mercurial-3.5.1-1.fc23.x86_64 installed still fails two of the tests but there's no glibc backtrace and it looks like the failures are due to changes in git/mercurial:

--- /dev/shm/hg/tests/test-subrepo-git.t
+++ /dev/shm/hg/tests/test-subrepo-git.t.err
@@ -879,10 +879,10 @@
   $ echo 'bloop' > s/foobar
   $ hg revert --all --verbose --config 'ui.origbackuppath=.hg/origbackups'
   reverting subrepo ../gitroot
-  creating directory: $TESTTMP/tc/.hg/origbackups (glob)
-  saving current version of foobar as $TESTTMP/tc/.hg/origbackups/foobar.orig (glob)
+  saving current version of foobar as foobar.orig
   $ ls .hg/origbackups
-  foobar.orig
+  ls: cannot access .hg/origbackups: No such file or directory
+  [2]
   $ rm -rf .hg/origbackups

 show file at specific revision
@@ -949,6 +949,7 @@
   A s/cpp.cpp
   A s/snake.python
   ? s/barfoo
+  ? s/foobar.orig
   $ hg revert s
   reverting subrepo ../gitroot


ERROR: test-subrepo-git.t output changed
!
--- /dev/shm/hg/tests/test-convert-git.t
+++ /dev/shm/hg/tests/test-convert-git.t.err
@@ -657,6 +657,8 @@
   $ hg convert -q git-repo6 no-submodules --config convert.git.skipsubmodules=True
   $ hg -R no-submodules manifest --all
   .gitmodules-renamed
+  .hgsub
+  .hgsubstate

 convert using a different remote prefix
   $ git init git-repo7
@@ -701,7 +703,6 @@
   updating bookmarks
   $ hg -R hg-repo7 bookmarks
      master                    0:03bf38caa4c6
-     origin/master             0:03bf38caa4c6

 damaged git repository tests:
 In case the hard-coded hashes change, the following commands can be used to

ERROR: test-convert-git.t output changed
!.

Cloning a 500MByte repo I had to had seemed to produce correct results.

karma: +1

BZ#1322268 CVE-2016-3630 CVE-2016-3068 CVE-2016-3069 mercurial: various flaws [fedora-all]
BZ#1322267 CVE-2016-3069 mercurial: arbitrary code execution when converting Git repos
BZ#1322266 CVE-2016-3068 mercurial: arbitrary code execution with Git subrepos
BZ#1322264 CVE-2016-3630 mercurial: remote code execution in binary delta decoding
User Icon kiilerix commented & provided feedback 8 years ago

anonymous: This update is for mercurial-3.5.2-1 . You talk about mercurial-3.5.1-1 .

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

8 years ago

This update has been submitted for stable by kiilerix.

8 years ago
User Icon anonymous commented & provided feedback 8 years ago

@killerix - sorry that should have said mercurial-3.5.2-2 the second time around (otherwise there would have been no difference in the results).

This update has been pushed to stable.

8 years ago

Please login to add feedback.

Metadata
Type
security
Severity
high
Karma
1
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
disabled
Dates
submitted
8 years ago
in testing
8 years ago
in stable
8 years ago
BZ#1322264 CVE-2016-3630 mercurial: remote code execution in binary delta decoding
0
0
BZ#1322266 CVE-2016-3068 mercurial: arbitrary code execution with Git subrepos
0
0
BZ#1322267 CVE-2016-3069 mercurial: arbitrary code execution when converting Git repos
0
0
BZ#1322268 CVE-2016-3630 CVE-2016-3068 CVE-2016-3069 mercurial: various flaws [fedora-all]
0
0

Automated Test Results