mercurial: Multiples vulnerabilities (CVE-2017-9462, CVE-2017-1000115, CVE-2017-1000116)
CVE-2017-9462: Python debugger accessible to authorized users
In Mercurial before 4.1.3, “hg serve —stdio” allows remote authenticated
users to launch the Python debugger,
and consequently execute arbitrary code, by using —debugger as a
repository name.
References:
https://www.mercurial-scm.org/wiki/WhatsNew\#Mercurial\_4.1.3\_.282017-4-18.29
CVE-2017-1000115: Mercurial’s symlink auditing was incomplete prior to 4.3, and could be abused to write to files outside the repository.
References:
https://www.mercurial-scm.org/wiki/WhatsNew\#Mercurial\_4.3*.2F\_4.3.1*.282017-08-10.29
CVE-2017-1000116: Mercurial was not sanitizing hostnames passed to
ssh, allowing shell
injection attacks on clients by specifying a hostname starting with
-oProxyCommand.
References:
https://www.mercurial-scm.org/wiki/WhatsNew\#Mercurial\_4.3*.2F\_4.3.1*.282017-08-10.29
(from redmine: issue id 7691, created on 2017-08-15, closed on 2017-08-21)
- Relations:
- relates #7665 (closed)
- child #7692 (closed)
- child #7693 (closed)
- child #7694 (closed)
- child #7695 (closed)