main/mercurial: security fixes (CVE-2016-3630, CVE-2016-3068). Fixes #5393

4 files changed, 195 insertions, 5 deletions

diff --git a/main/mercurial/APKBUILD b/main/mercurial/APKBUILD
index bf83549542..3a7a62505d 100644
--- a/main/mercurial/APKBUILD
+++ b/main/mercurial/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=mercurial
 pkgver=3.4
-pkgrel=0
+pkgrel=1
 pkgdesc="A scalable distributed SCM tool"
 url="http://www.selenic.com/mercurial"
 arch="all"
@@ -9,9 +9,23 @@ license="GPL2+"
 depends=""
 makedepends="python-dev"
 subpackages="$pkgname-doc"
-source="http://www.selenic.com/$pkgname/release/$pkgname-$pkgver.tar.gz"
+source="http://www.selenic.com/$pkgname/release/$pkgname-$pkgver.tar.gz
+	CVE-2016-3630-1.patch
+	CVE-2016-3630-2.patch
+	CVE-2016-3068.patch
+	"
 
 _builddir="$srcdir"/$pkgname-$pkgver
+
+prepare() {
+	cd "$_builddir"
+        for i in $source; do
+                case $i in
+                *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
+                esac
+        done
+}
+
 build() {
 	cd "$_builddir"
 	python setup.py build || return 1
@@ -31,6 +45,15 @@ package() {
 	install -Dm644 contrib/vim/HGAnnotate.vim \
 		"${vimpath}/syntax/HGAnnotate.vim" || return 1
 }
-md5sums="4a2dcf2bd9fa11e758d44e481136eab7  mercurial-3.4.tar.gz"
-sha256sums="ff1da0545cdd46ebcf473176d55937a22bb55fff51cdff9d4c2f900fc80baf10  mercurial-3.4.tar.gz"
-sha512sums="a61b0d4cf528136991243bb23ac972c11c50ab5681d09f8b2d12cf7d37d3a9d76262f7fe6e7a1834bf6d03e8dc0ebbd9231da982e049e09830341dabefe5d064  mercurial-3.4.tar.gz"
+md5sums="4a2dcf2bd9fa11e758d44e481136eab7  mercurial-3.4.tar.gz
+301fac6e294a7ae0d5ad8545467b8bb9  CVE-2016-3630-1.patch
+859c242b441be8c9cff7242fdbe3c158  CVE-2016-3630-2.patch
+ff54bcd5e64f195ee48bdc4e0b421770  CVE-2016-3068.patch"
+sha256sums="ff1da0545cdd46ebcf473176d55937a22bb55fff51cdff9d4c2f900fc80baf10  mercurial-3.4.tar.gz
+c05b92354bb2569aa4406cca7186e171a051df97d9db290413a7b1387d855365  CVE-2016-3630-1.patch
+f6463b99c84fd7db8c501e4353bb74bb828fe6ea05edd4b3c3ab78beb47cf6b7  CVE-2016-3630-2.patch
+a3b841a61088a9a339370dd3d40e8ea7706710f547d9300d5f4143242d17bd8e  CVE-2016-3068.patch"
+sha512sums="a61b0d4cf528136991243bb23ac972c11c50ab5681d09f8b2d12cf7d37d3a9d76262f7fe6e7a1834bf6d03e8dc0ebbd9231da982e049e09830341dabefe5d064  mercurial-3.4.tar.gz
+5f861816ab1b73d4c5194c6b4af6e3a2e2d66c396801fd7450cd1248796aefa4f0fa99bc222e2ab87c1700b04fc59a4382538ef0b490e66d4dd57bc3731b66b6  CVE-2016-3630-1.patch
+9f6c45e7393cab4bcbf91d3c80655d490edd2c27b537b8e4c850985a7410032ae7f7a0bed47116b2ad19197c55422ed15f65aa1cde6ead822941b3cf865cd023  CVE-2016-3630-2.patch
+d9f0a115e21cf09f0cff7d4100fc68602ee978b36fc720ba56df7ff80bdf72b0b4ad653ee890f828b298fd5f2593798fe2399b98d7291bc4a2481f43c91e045f  CVE-2016-3068.patch"
diff --git a/main/mercurial/CVE-2016-3068.patch b/main/mercurial/CVE-2016-3068.patch
new file mode 100644
index 0000000000..78385cb57f
--- /dev/null
+++ b/main/mercurial/CVE-2016-3068.patch
@@ -0,0 +1,93 @@
+
+# HG changeset patch
+# User Mateusz Kwapich <mitrandir@fb.com>
+# Date 1458535941 25200
+# Node ID 34d43cb85de8d06764039d8868eee19d00fddeab
+# Parent  b9714d958e89cd6ff1da46b46f39076c03325ac7
+subrepo: set GIT_ALLOW_PROTOCOL to limit git clone protocols (SEC)
+
+CVE-2016-3068 (1/1)
+
+Git's git-remote-ext remote helper provides an ext:: URL scheme that
+allows running arbitrary shell commands. This feature allows
+implementing simple git smart transports with a single shell shell
+command. However, git submodules could clone arbitrary URLs specified
+in the .gitmodules file. This was reported as CVE-2015-7545 and fixed
+in git v2.6.1.
+
+However, if a user directly clones a malicious ext URL, the git client
+will still run arbitrary shell commands.
+
+Mercurial is similarly effected. Mercurial allows specifying git
+repositories as subrepositories. Git ext:: URLs can be specified as
+Mercurial subrepositories allowing arbitrary shell commands to be run
+on `hg clone ...`.
+
+
+The Mercurial community would like to thank Blake Burkhart for
+reporting this issue. The description of the issue is copied from
+Blake's report.
+
+This commit changes submodules to pass the GIT_ALLOW_PROTOCOL env
+variable to git commands  with the same list of allowed protocols that
+git submodule is using.
+
+When the GIT_ALLOW_PROTOCOL env variable is already set, we just pass it
+to git without modifications.
+
+diff -r b9714d958e89 -r 34d43cb85de8 mercurial/subrepo.py
+--- a/mercurial/subrepo.py	Wed Mar 16 17:30:26 2016 -0700
++++ b/mercurial/subrepo.py	Sun Mar 20 21:52:21 2016 -0700
+@@ -1383,6 +1383,11 @@
+         are not supported and very probably fail.
+         """
+         self.ui.debug('%s: git %s\n' % (self._relpath, ' '.join(commands)))
++        if env is None:
++            env = os.environ.copy()
++        # fix for Git CVE-2015-7545
++        if 'GIT_ALLOW_PROTOCOL' not in env:
++            env['GIT_ALLOW_PROTOCOL'] = 'file:git:http:https:ssh'
+         # unless ui.quiet is set, print git's stderr,
+         # which is mostly progress and useful info
+         errpipe = None
+diff -r b9714d958e89 -r 34d43cb85de8 tests/test-subrepo-git.t
+--- a/tests/test-subrepo-git.t	Wed Mar 16 17:30:26 2016 -0700
++++ b/tests/test-subrepo-git.t	Sun Mar 20 21:52:21 2016 -0700
+@@ -1132,4 +1132,36 @@
+   ? s/foobar.orig
+   ? s/snake.python.orig
+ 
++test for Git CVE-2016-3068
++  $ hg init malicious-subrepository
++  $ cd malicious-subrepository
++  $ echo "s = [git]ext::sh -c echo% pwned% >&2" > .hgsub
++  $ git init s
++  Initialized empty Git repository in $TESTTMP/tc/malicious-subrepository/s/.git/
++  $ cd s
++  $ git commit --allow-empty -m 'empty'
++  [master (root-commit) 153f934] empty
+   $ cd ..
++  $ hg add .hgsub
++  $ hg commit -m "add subrepo"
++  $ cd ..
++  $ env -u GIT_ALLOW_PROTOCOL hg clone malicious-subrepository malicious-subrepository-protected
++  Cloning into '$TESTTMP/tc/malicious-subrepository-protected/s'...
++  fatal: transport 'ext' not allowed
++  updating to branch default
++  cloning subrepo s from ext::sh -c echo% pwned% >&2
++  abort: git clone error 128 in s (in subrepo s)
++  [255]
++
++whitelisting of ext should be respected (that's the git submodule behaviour)
++  $ env GIT_ALLOW_PROTOCOL=ext hg clone malicious-subrepository malicious-subrepository-clone-allowed
++  Cloning into '$TESTTMP/tc/malicious-subrepository-clone-allowed/s'...
++  pwned
++  fatal: Could not read from remote repository.
++  
++  Please make sure you have the correct access rights
++  and the repository exists.
++  updating to branch default
++  cloning subrepo s from ext::sh -c echo% pwned% >&2
++  abort: git clone error 128 in s (in subrepo s)
++  [255]
+
diff --git a/main/mercurial/CVE-2016-3630-1.patch b/main/mercurial/CVE-2016-3630-1.patch
new file mode 100644
index 0000000000..ab78761e40
--- /dev/null
+++ b/main/mercurial/CVE-2016-3630-1.patch
@@ -0,0 +1,45 @@
+
+# HG changeset patch
+# User Matt Mackall <mpm@selenic.com>
+# Date 1458174569 25200
+# Node ID b6ed2505d6cf1d73f7f5c62e7369c4ce65cd3732
+# Parent  a2c2dd399f3b9fb84edd75a930e895f0c5e4ad5b
+parsers: fix list sizing rounding error (SEC)
+
+CVE-2016-3630 (1/2)
+
+This addresses part of a vulnerability in application of binary
+deltas.
+
+diff -r a2c2dd399f3b -r b6ed2505d6cf mercurial/mpatch.c
+--- a/mercurial/mpatch.c	Fri Mar 25 10:47:49 2016 -0700
++++ b/mercurial/mpatch.c	Wed Mar 16 17:29:29 2016 -0700
+@@ -205,7 +205,7 @@
+ 	int pos = 0;
+ 
+ 	/* assume worst case size, we won't have many of these lists */
+-	l = lalloc(len / 12);
++	l = lalloc(len / 12 + 1);
+ 	if (!l)
+ 		return NULL;
+ 
+diff -r a2c2dd399f3b -r b6ed2505d6cf tests/test-revlog.t
+--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
++++ b/tests/test-revlog.t	Wed Mar 16 17:29:29 2016 -0700
+@@ -0,0 +1,15 @@
++Test for CVE-2016-3630
++
++  $ hg init
++
++  >>> open("a.i", "w").write(
++  ... """eJxjYGZgZIAAYQYGxhgom+k/FMx8YKx9ZUaKSOyqo4cnuKb8mbqHV5cBCVTMWb1Cwqkhe4Gsg9AD
++  ... Joa3dYtcYYYBAQ8Qr4OqZAYRICPTSr5WKd/42rV36d+8/VmrNpv7NP1jQAXrQE4BqQUARngwVA=="""
++  ... .decode("base64").decode("zlib"))
++
++  $ hg debugindex a.i
++     rev    offset  length  delta linkrev nodeid       p1           p2
++       0         0      19     -1       2 99e0332bd498 000000000000 000000000000
++       1        19      12      0       3 6674f57a23d8 99e0332bd498 000000000000
++  $ hg debugdata a.i 1 2>&1 | grep decoded
++  mpatch.mpatchError: patch cannot be decoded
+
diff --git a/main/mercurial/CVE-2016-3630-2.patch b/main/mercurial/CVE-2016-3630-2.patch
new file mode 100644
index 0000000000..f7deb97841
--- /dev/null
+++ b/main/mercurial/CVE-2016-3630-2.patch
@@ -0,0 +1,29 @@
+
+# HG changeset patch
+# User Matt Mackall <mpm@selenic.com>
+# Date 1458174626 25200
+# Node ID b9714d958e89cd6ff1da46b46f39076c03325ac7
+# Parent  b6ed2505d6cf1d73f7f5c62e7369c4ce65cd3732
+parsers: detect short records (SEC)
+
+CVE-2016-3630 (2/2)
+
+This addresses part of a vulnerability in binary delta application.
+
+diff -r b6ed2505d6cf -r b9714d958e89 mercurial/mpatch.c
+--- a/mercurial/mpatch.c	Wed Mar 16 17:29:29 2016 -0700
++++ b/mercurial/mpatch.c	Wed Mar 16 17:30:26 2016 -0700
+@@ -215,10 +215,10 @@
+ 		lt->start = getbe32(bin + pos);
+ 		lt->end = getbe32(bin + pos + 4);
+ 		lt->len = getbe32(bin + pos + 8);
+-		if (lt->start > lt->end)
+-			break; /* sanity check */
+ 		lt->data = bin + pos + 12;
+ 		pos += 12 + lt->len;
++		if (lt->start > lt->end || lt->len < 0)
++			break; /* sanity check */
+ 		lt++;
+ 	}
+ 
+