[Python-apps-team] Bug#500781: intent to NMU

Nico Golde nico at ngolde.de
Fri Oct 3 14:33:43 UTC 2008 

tags 500781 + patch
thanks

Hi Vincent,
* Vincent Danjean <Vincent.Danjean at ens-lyon.org> [2008-10-03 12:15]:
> Steffen Joeris wrote:
> > Hi,
> > the following CVE (Common Vulnerabilities & Exposures) id was
> > published for mercurial.
> > 
> > CVE-2008-4297[0]:
> > | Mercurial before 1.0.2 does not enforce the allowpull permission
> > | setting for a pull operation from hgweb, which allows remote attackers
> > | to read arbitrary files from a repository via an "hg pull" request.
> > 
> > I am not sure about the severity of this issue, could you please investigate it?
> 
> I saw it when mercurial 1.0.2 have been published. But I did not find any
> specific changeset linked to this issue. If anyone (co-maintainer, user, ...)
> can point me to the changeset, I can prepare a patch with it. I can also
> package the whole 1.0.2 (I was waiting the lenny release to do it: RM
> told me they would probably not accept this update without strong reasons [1]).
> But, I'm sorry to tell that I will not have enough free time now to
> look more closely to this issue and to search into the mercurial development
> tree until a few weeks (too much real work for now).

Attached is a patch for an NMU which fixes the issue.
This is upstream changeset 6630:8542fac26f63.
It is also archived on:
http://people.debian.org/~nion/nmu-diff/mercurial-1.0.1-5_1.0.1-5.1.patch 
Feel free to upload yourself if you have the time.

I also checked the diff between 1.0.1 and 1.0.2, 
6630:8542fac26f63 is included in 1.0.2 however there is an 
additional changeset which is not (6779:d3147b4e3e8a) which 
centralizes the permission handling so not every command has 
to care about this themselve. Testing my patch with a 
repository that has allowpull = fase seems to work fine:

hg clone http://bone/cgi-bin/hgwebdir.cgi/test
destination directory: test
requesting all changes
abort: HTTP Error 500: Internal Server Error

Of course the error message could be better...

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mercurial-1.0.1-5_1.0.1-5.1.patch
Type: text/x-diff
Size: 1587 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/python-apps-team/attachments/20081003/1085f2b6/attachment.patch 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/python-apps-team/attachments/20081003/1085f2b6/attachment.pgp

More information about the Python-apps-team mailing list