Commit 87765f5b authored by Leo's avatar Leo Committed by Natanael Copa

main/mercurial: fix CVE-2019-32902

Fixes alpine/aports#10376
parent 1e378edc
......@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=mercurial
pkgver=4.5.2
pkgrel=0
pkgrel=1
pkgdesc="A scalable distributed SCM tool"
url="https://www.mercurial-scm.org/"
arch="all"
......@@ -14,10 +14,14 @@ subpackages="
$pkgname-vim:vim:noarch
$pkgname-zsh-completion:zshcomp:noarch
$pkgname-bash-completion:bashcomp:noarch"
source="https://www.mercurial-scm.org/release/$pkgname-$pkgver.tar.gz"
source="https://www.mercurial-scm.org/release/$pkgname-$pkgver.tar.gz
CVE-2019-3902.patch
"
builddir="$srcdir"/$pkgname-$pkgver
# secfixes:
# 4.5.2-r1:
# - CVE-2019-3902
# 4.5.2-r0:
# - CVE-2018-1000132
......@@ -66,4 +70,5 @@ bashcomp() {
"$subpkgdir"/usr/share/bash-completion/completions/${pkgname}
}
sha512sums="f70e40cba72b7955f0ecec9c1f53ffffac26f206188617cb182e22ce4f43dc8b970ce46d12c516ef88480c3fa076a59afcddd736dffb642d8e23befaf45b4941 mercurial-4.5.2.tar.gz"
sha512sums="f70e40cba72b7955f0ecec9c1f53ffffac26f206188617cb182e22ce4f43dc8b970ce46d12c516ef88480c3fa076a59afcddd736dffb642d8e23befaf45b4941 mercurial-4.5.2.tar.gz
f6a53411ba137661db283878ff1191ee13f879b171e6e97335ebc68e6276373ecff89a6ab16eec5eb572de9c909f5d4f81b726d15da56fa026a758482b5373f3 CVE-2019-3902.patch"
# HG changeset patch
# User Yuya Nishihara <yuya@tcha.org>
# Date 1546953576 -32400
# Node ID 83377b4b4ae0e9a6b8e579f7b0a693b8cf5c3b10
# Parent 6c10eba6b9cddab020de49fd4fabcb2cadcd85d0
subrepo: reject potentially unsafe subrepo paths (BC) (SEC)
In addition to the previous patch, this prohibits '~', '$nonexistent', etc.
for any subrepo types. I think this is safer, and real-world subrepos wouldn't
use such (local) paths.
diff -r 6c10eba6b9cd -r 83377b4b4ae0 mercurial/subrepo.py
--- a/mercurial/subrepo.py Tue Jan 08 22:07:45 2019 +0900
+++ b/mercurial/subrepo.py Tue Jan 08 22:19:36 2019 +0900
@@ -115,6 +115,10 @@
vfs.unlink(vfs.reljoin(dirname, f))
def _auditsubrepopath(repo, path):
+ # sanity check for potentially unsafe paths such as '~' and '$FOO'
+ if path.startswith('~') or '$' in path or util.expandpath(path) != path:
+ raise error.Abort(_('subrepo path contains illegal component: %s')
+ % path)
# auditor doesn't check if the path itself is a symlink
pathutil.pathauditor(repo.root)(path)
if repo.wvfs.islink(path):
# HG changeset patch
# User Yuya Nishihara <yuya@tcha.org>
# Date 1546952865 -32400
# Node ID 6c10eba6b9cddab020de49fd4fabcb2cadcd85d0
# Parent 31286c9282dfa734e9da085649b7ae5a8ba290ad
subrepo: prohibit variable expansion on creation of hg subrepo (SEC)
It's probably wrong to expand path at localrepo.*repository() layer, but
fixing the layering issue would require careful inspection of call paths.
So, this patch adds add a validation to the subrepo constructor.
os.path.realpath(util.expandpath(root)) is what vfsmod.vfs() would do.
diff -r 31286c9282df -r 6c10eba6b9cd mercurial/subrepo.py
--- a/mercurial/subrepo.py Tue Jan 08 21:51:54 2019 +0900
+++ b/mercurial/subrepo.py Tue Jan 08 22:07:45 2019 +0900
@@ -403,7 +403,16 @@
r = ctx.repo()
root = r.wjoin(path)
create = allowcreate and not r.wvfs.exists('%s/.hg' % path)
+ # repository constructor does expand variables in path, which is
+ # unsafe since subrepo path might come from untrusted source.
+ if os.path.realpath(util.expandpath(root)) != root:
+ raise error.Abort(_('subrepo path contains illegal component: %s')
+ % path)
self._repo = hg.repository(r.baseui, root, create=create)
+ if self._repo.root != root:
+ raise error.ProgrammingError('failed to reject unsafe subrepo '
+ 'path: %s (expanded to %s)'
+ % (root, self._repo.root))
# Propagate the parent's --hidden option
if r is r.unfiltered():
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment