[Python-apps-team] Bug#783237: CVE-2014-9462

Javi Merino vicho at debian.org
Wed May 6 07:26:47 UTC 2015 

Hi Alessandro,

On Sat, May 02, 2015 at 09:04:42AM +0100, Javi Merino wrote:
> On Fri, May 01, 2015 at 08:53:28PM +0200, Alessandro Ghedini wrote:
> > On Fri, May 01, 2015 at 07:16:07PM +0100, Javi Merino wrote:
> > > On Fri, Apr 24, 2015 at 01:21:56PM +0200, Moritz Muehlenhoff wrote:
> > > > Package: mercurial
> > > > Severity: important
> > > > Tags: security
> > > > 
> > > > Please see
> > > > http://chargen.matasano.com/chargen/2015/3/17/this-new-vulnerability-mercurial-command-injection-cve-2014-9462.html
> > > > 
> > > > Fix:
> > > > http://selenic.com/hg/rev/e3f30068d2eb

[...]

> > Also, the vulnerability seems to affect the wheezy version as well, could you
> > please prepare an upload targeting wheezy-security as well?

I've prepared an upload for wheezy-security, find the diff below.  Can
I upload it to security-master?

Index: debian/changelog
===================================================================
--- debian/changelog	(revisión: 11643)
+++ debian/changelog	(copia de trabajo)
@@ -1,3 +1,11 @@
+mercurial (2.2.2-4+deb7u1) wheezy-security; urgency=high
+
+  * Fix "CVE-2014-9462" by adding patch
+    from_upstream__sshpeer_more_thorough_shell_quoting.patch (Closes:
+    #783237)
+
+ -- Javi Merino <vicho at debian.org>  Wed, 06 May 2015 08:09:26 +0100
+
 mercurial (2.2.2-4) stable; urgency=high
 
   * Security update for CVE-2014-9390: errors in handling case-sensitive
Index: debian/patches/series
===================================================================
--- debian/patches/series	(revisión: 11643)
+++ debian/patches/series	(copia de trabajo)
@@ -14,3 +14,4 @@
 from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch
 from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch
 from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch
+from_upstream__sshpeer_more_thorough_shell_quoting.patch
Index: debian/patches/from_upstream__sshpeer_more_thorough_shell_quoting.patch
===================================================================
--- debian/patches/from_upstream__sshpeer_more_thorough_shell_quoting.patch	(revisión: 0)
+++ debian/patches/from_upstream__sshpeer_more_thorough_shell_quoting.patch	(revisión: 11901)
@@ -0,0 +1,29 @@
+Origin: http://selenic.com/hg/rev/e3f30068d2eb
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783237
+Description: sshpeer: more thorough shell quoting
+ This fixes CVE-2014-9462
+Applied-Upstream: 3.2.4
+
+--- a/mercurial/sshrepo.py
++++ b/mercurial/sshrepo.py
+@@ -20,6 +20,8 @@ class remotelock(object):
+             self.release()
+ 
+ def _serverquote(s):
++    if not s:
++        return s
+     '''quote a string for the remote shell ... which we assume is sh'''
+     if re.match('[a-zA-Z0-9@%_+=:,./-]*$', s):
+         return s
+@@ -44,7 +46,10 @@ class sshrepository(wireproto.wirereposi
+         sshcmd = self.ui.config("ui", "ssh", "ssh")
+         remotecmd = self.ui.config("ui", "remotecmd", "hg")
+ 
+-        args = util.sshargs(sshcmd, self.host, self.user, self.port)
++        args = util.sshargs(sshcmd,
++                            _serverquote(self.host),
++                            _serverquote(self.user),
++                            _serverquote(self.port))
+ 
+         if create:
+             cmd = '%s %s %s' % (sshcmd, args,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/python-apps-team/attachments/20150506/934518e2/attachment.sig>

More information about the Python-apps-team mailing list