diff options
author | Leo <thinkabit.ukim@gmail.com> | 2019-07-21 16:01:21 -0300 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2019-07-22 12:39:11 +0200 |
commit | 62755c77c68aad877b194aa2678fb06b337091ea (patch) | |
tree | e87d49c5df51c2bf1b75f5f9e4b52cf421c7fd73 /main/mercurial | |
parent | fdbea192e0aafd3afbdcd17d061efff9de618664 (diff) | |
download | aports-62755c77c68aad877b194aa2678fb06b337091ea.tar.bz2 aports-62755c77c68aad877b194aa2678fb06b337091ea.tar.xz |
main/mercurial: fix CVE-2019-32902
Fixes https://gitlab.alpinelinux.org/alpine/aports/issues/10375
Diffstat (limited to 'main/mercurial')
-rw-r--r-- | main/mercurial/APKBUILD | 13 | ||||
-rw-r--r-- | main/mercurial/CVE-2019-3902.patch | 60 |
2 files changed, 70 insertions, 3 deletions
diff --git a/main/mercurial/APKBUILD b/main/mercurial/APKBUILD index 05a29fed7f..ab1914cc48 100644 --- a/main/mercurial/APKBUILD +++ b/main/mercurial/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=mercurial pkgver=4.6.1 -pkgrel=0 +pkgrel=1 pkgdesc="Scalable distributed SCM tool" url="https://www.mercurial-scm.org" arch="all" @@ -14,9 +14,15 @@ subpackages=" $pkgname-vim:vim:noarch $pkgname-zsh-completion:zshcomp:noarch $pkgname-bash-completion:bashcomp:noarch" -source="https://www.mercurial-scm.org/release/$pkgname-$pkgver.tar.gz" +source="https://www.mercurial-scm.org/release/$pkgname-$pkgver.tar.gz + CVE-2019-3902.patch + " builddir="$srcdir"/$pkgname-$pkgver +# secfixes: +# 4.6.1-r1: +# - CVE-2019-3902 + build() { cd "$builddir" python2 setup.py build @@ -63,4 +69,5 @@ bashcomp() { "$subpkgdir"/usr/share/bash-completion/completions/${pkgname} } -sha512sums="0c7737ca803691b135b4906cc527b20595e314009096d8a19f37814ee192b182e7c5360fbf993f632d6071da1f9fca38677e7190c14ed92bafa8add72a4a27d9 mercurial-4.6.1.tar.gz" +sha512sums="0c7737ca803691b135b4906cc527b20595e314009096d8a19f37814ee192b182e7c5360fbf993f632d6071da1f9fca38677e7190c14ed92bafa8add72a4a27d9 mercurial-4.6.1.tar.gz +f6a53411ba137661db283878ff1191ee13f879b171e6e97335ebc68e6276373ecff89a6ab16eec5eb572de9c909f5d4f81b726d15da56fa026a758482b5373f3 CVE-2019-3902.patch" diff --git a/main/mercurial/CVE-2019-3902.patch b/main/mercurial/CVE-2019-3902.patch new file mode 100644 index 0000000000..28d88c63e7 --- /dev/null +++ b/main/mercurial/CVE-2019-3902.patch @@ -0,0 +1,60 @@ + +# HG changeset patch +# User Yuya Nishihara <yuya@tcha.org> +# Date 1546953576 -32400 +# Node ID 83377b4b4ae0e9a6b8e579f7b0a693b8cf5c3b10 +# Parent 6c10eba6b9cddab020de49fd4fabcb2cadcd85d0 +subrepo: reject potentially unsafe subrepo paths (BC) (SEC) + +In addition to the previous patch, this prohibits '~', '$nonexistent', etc. +for any subrepo types. I think this is safer, and real-world subrepos wouldn't +use such (local) paths. + +diff -r 6c10eba6b9cd -r 83377b4b4ae0 mercurial/subrepo.py +--- a/mercurial/subrepo.py Tue Jan 08 22:07:45 2019 +0900 ++++ b/mercurial/subrepo.py Tue Jan 08 22:19:36 2019 +0900 +@@ -115,6 +115,10 @@ + vfs.unlink(vfs.reljoin(dirname, f)) + + def _auditsubrepopath(repo, path): ++ # sanity check for potentially unsafe paths such as '~' and '$FOO' ++ if path.startswith('~') or '$' in path or util.expandpath(path) != path: ++ raise error.Abort(_('subrepo path contains illegal component: %s') ++ % path) + # auditor doesn't check if the path itself is a symlink + pathutil.pathauditor(repo.root)(path) + if repo.wvfs.islink(path): + +# HG changeset patch +# User Yuya Nishihara <yuya@tcha.org> +# Date 1546952865 -32400 +# Node ID 6c10eba6b9cddab020de49fd4fabcb2cadcd85d0 +# Parent 31286c9282dfa734e9da085649b7ae5a8ba290ad +subrepo: prohibit variable expansion on creation of hg subrepo (SEC) + +It's probably wrong to expand path at localrepo.*repository() layer, but +fixing the layering issue would require careful inspection of call paths. +So, this patch adds add a validation to the subrepo constructor. + +os.path.realpath(util.expandpath(root)) is what vfsmod.vfs() would do. + +diff -r 31286c9282df -r 6c10eba6b9cd mercurial/subrepo.py +--- a/mercurial/subrepo.py Tue Jan 08 21:51:54 2019 +0900 ++++ b/mercurial/subrepo.py Tue Jan 08 22:07:45 2019 +0900 +@@ -403,7 +403,16 @@ + r = ctx.repo() + root = r.wjoin(path) + create = allowcreate and not r.wvfs.exists('%s/.hg' % path) ++ # repository constructor does expand variables in path, which is ++ # unsafe since subrepo path might come from untrusted source. ++ if os.path.realpath(util.expandpath(root)) != root: ++ raise error.Abort(_('subrepo path contains illegal component: %s') ++ % path) + self._repo = hg.repository(r.baseui, root, create=create) ++ if self._repo.root != root: ++ raise error.ProgrammingError('failed to reject unsafe subrepo ' ++ 'path: %s (expanded to %s)' ++ % (root, self._repo.root)) + + # Propagate the parent's --hidden option + if r is r.unfiltered(): |