From: Zhixiong Chi <zhixiong.chi@windriver.com>
To: akuster808 <akuster808@gmail.com>,
<openembedded-devel@lists.openembedded.org>
Subject: Re: [meta-oe][PATCH] mercurial: Upgrade to 4.4.1
Date: Thu, 16 Nov 2017 10:23:55 +0800 [thread overview]
Message-ID: <5A0CF6BB.5000407@windriver.com> (raw)
In-Reply-To: <9569cc40-d759-ed8f-09f7-61a07a433359@gmail.com>
On 2017年11月16日 10:19, akuster808 wrote:
>
> On 11/08/2017 10:20 PM, Zhixiong Chi wrote:
>> * Upgrade to the latest release to fix some CVEs:
>> - CVE-2017-1000115: missing symlink check that can malicious repositories
>> to modify files outside the repository
>> - CVE-2017-1000116: did not adequately sanitize hostnames passed to ssh,
>> leading to possible shell-injection attacks.
>>
>> * For other changes please see: https://www.mercurial-scm.org/wiki/WhatsNew
>>
>> * Update SRC_URI with the new download link
>>
>> Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
>> ---
>> .../mercurial/files/mercurial-CVE-2017-9462.patch | 135 ---------------------
>> .../mercurial/mercurial-native_4.0.1.bb | 28 -----
>> .../mercurial/mercurial-native_4.4.1.bb | 27 +++++
> 4.4 was already in the pipe line and is in master. If you still want
> 4.4.1, please rebase and resend
I just send this patch for the CVE-2017-1000115 and CVE-2017-1000116,
the 4.4 version has included
the patches, this please ignore this patch.
Thanks.
> - armin
>> 3 files changed, 27 insertions(+), 163 deletions(-)
>> delete mode 100644 meta-oe/recipes-devtools/mercurial/files/mercurial-CVE-2017-9462.patch
>> delete mode 100644 meta-oe/recipes-devtools/mercurial/mercurial-native_4.0.1.bb
>> create mode 100644 meta-oe/recipes-devtools/mercurial/mercurial-native_4.4.1.bb
>>
>> diff --git a/meta-oe/recipes-devtools/mercurial/files/mercurial-CVE-2017-9462.patch b/meta-oe/recipes-devtools/mercurial/files/mercurial-CVE-2017-9462.patch
>> deleted file mode 100644
>> index 3564661..0000000
>> --- a/meta-oe/recipes-devtools/mercurial/files/mercurial-CVE-2017-9462.patch
>> +++ /dev/null
>> @@ -1,135 +0,0 @@
>> -# HG changeset patch
>> -# User Augie Fackler <augie@google.com>
>> -# Date 1492021435 25200
>> -# Wed Apr 12 11:23:55 2017 -0700
>> -# Branch stable
>> -# Node ID 77eaf9539499a1b8be259ffe7ada787d07857f80
>> -# Parent 68f263f52d2e3e2798b4f1e55cb665c6b043f93b
>> -dispatch: protect against malicious 'hg serve --stdio' invocations (sec)
>> -
>> -Some shared-ssh installations assume that 'hg serve --stdio' is a safe
>> -command to run for minimally trusted users. Unfortunately, the messy
>> -implementation of argument parsing here meant that trying to access a
>> -repo named '--debugger' would give the user a pdb prompt, thereby
>> -sidestepping any hoped-for sandboxing. Serving repositories over HTTP(S)
>> -is unaffected.
>> -
>> -We're not currently hardening any subcommands other than 'serve'. If
>> -your service exposes other commands to users with arbitrary repository
>> -names, it is imperative that you defend against repository names of
>> -'--debugger' and anything starting with '--config'.
>> -
>> -The read-only mode of hg-ssh stopped working because it provided its hook
>> -configuration to "hg serve --stdio" via --config parameter. This is banned for
>> -security reasons now. This patch switches it to directly call ui.setconfig().
>> -If your custom hosting infrastructure relies on passing --config to
>> -"hg serve --stdio", you'll need to find a different way to get that configuration
>> -into Mercurial, either by using ui.setconfig() as hg-ssh does in this patch,
>> -or by placing an hgrc file someplace where Mercurial will read it.
>> -
>> -mitrandir@fb.com provided some extra fixes for the dispatch code and
>> -for hg-ssh in places that I overlooked.
>> -
>> -CVE: CVE-2017-9462
>> -
>> -Upstream-Status: Backport
>> -
>> -diff --git a/contrib/hg-ssh b/contrib/hg-ssh
>> ---- a/contrib/hg-ssh
>> -+++ b/contrib/hg-ssh
>> -@@ -32,7 +32,7 @@
>> - # enable importing on demand to reduce startup time
>> - from mercurial import demandimport; demandimport.enable()
>> -
>> --from mercurial import dispatch
>> -+from mercurial import dispatch, ui as uimod
>> -
>> - import sys, os, shlex
>> -
>> -@@ -61,14 +61,15 @@
>> - repo = os.path.normpath(os.path.join(cwd, os.path.expanduser(path)))
>> - if repo in allowed_paths:
>> - cmd = ['-R', repo, 'serve', '--stdio']
>> -+ req = dispatch.request(cmd)
>> - if readonly:
>> -- cmd += [
>> -- '--config',
>> -- 'hooks.pretxnopen.hg-ssh=python:__main__.rejectpush',
>> -- '--config',
>> -- 'hooks.prepushkey.hg-ssh=python:__main__.rejectpush'
>> -- ]
>> -- dispatch.dispatch(dispatch.request(cmd))
>> -+ if not req.ui:
>> -+ req.ui = uimod.ui.load()
>> -+ req.ui.setconfig('hooks', 'pretxnopen.hg-ssh',
>> -+ 'python:__main__.rejectpush', 'hg-ssh')
>> -+ req.ui.setconfig('hooks', 'prepushkey.hg-ssh',
>> -+ 'python:__main__.rejectpush', 'hg-ssh')
>> -+ dispatch.dispatch(req)
>> - else:
>> - sys.stderr.write('Illegal repository "%s"\n' % repo)
>> - sys.exit(255)
>> -diff --git a/mercurial/dispatch.py b/mercurial/dispatch.py
>> ---- a/mercurial/dispatch.py
>> -+++ b/mercurial/dispatch.py
>> -@@ -155,6 +155,37 @@
>> - pass # happens if called in a thread
>> -
>> - def _runcatchfunc():
>> -+ realcmd = None
>> -+ try:
>> -+ cmdargs = fancyopts.fancyopts(req.args[:], commands.globalopts, {})
>> -+ cmd = cmdargs[0]
>> -+ aliases, entry = cmdutil.findcmd(cmd, commands.table, False)
>> -+ realcmd = aliases[0]
>> -+ except (error.UnknownCommand, error.AmbiguousCommand,
>> -+ IndexError, getopt.GetoptError):
>> -+ # Don't handle this here. We know the command is
>> -+ # invalid, but all we're worried about for now is that
>> -+ # it's not a command that server operators expect to
>> -+ # be safe to offer to users in a sandbox.
>> -+ pass
>> -+ if realcmd == 'serve' and '--stdio' in cmdargs:
>> -+ # We want to constrain 'hg serve --stdio' instances pretty
>> -+ # closely, as many shared-ssh access tools want to grant
>> -+ # access to run *only* 'hg -R $repo serve --stdio'. We
>> -+ # restrict to exactly that set of arguments, and prohibit
>> -+ # any repo name that starts with '--' to prevent
>> -+ # shenanigans wherein a user does something like pass
>> -+ # --debugger or --config=ui.debugger=1 as a repo
>> -+ # name. This used to actually run the debugger.
>> -+ if (len(req.args) != 4 or
>> -+ req.args[0] != '-R' or
>> -+ req.args[1].startswith('--') or
>> -+ req.args[2] != 'serve' or
>> -+ req.args[3] != '--stdio'):
>> -+ raise error.Abort(
>> -+ _('potentially unsafe serve --stdio invocation: %r') %
>> -+ (req.args,))
>> -+
>> - try:
>> - debugger = 'pdb'
>> - debugtrace = {
>> -diff --git a/tests/test-ssh.t b/tests/test-ssh.t
>> ---- a/tests/test-ssh.t
>> -+++ b/tests/test-ssh.t
>> -@@ -357,6 +357,19 @@
>> - abort: destination 'a repo' is not empty
>> - [255]
>> -
>> -+Make sure hg is really paranoid in serve --stdio mode. It used to be
>> -+possible to get a debugger REPL by specifying a repo named --debugger.
>> -+ $ hg -R --debugger serve --stdio
>> -+ abort: potentially unsafe serve --stdio invocation: ['-R', '--debugger', 'serve', '--stdio']
>> -+ [255]
>> -+ $ hg -R --config=ui.debugger=yes serve --stdio
>> -+ abort: potentially unsafe serve --stdio invocation: ['-R', '--config=ui.debugger=yes', 'serve', '--stdio']
>> -+ [255]
>> -+Abbreviations of 'serve' also don't work, to avoid shenanigans.
>> -+ $ hg -R narf serv --stdio
>> -+ abort: potentially unsafe serve --stdio invocation: ['-R', 'narf', 'serv', '--stdio']
>> -+ [255]
>> -+
>> - Test hg-ssh using a helper script that will restore PYTHONPATH (which might
>> - have been cleared by a hg.exe wrapper) and invoke hg-ssh with the right
>> - parameters:
>> diff --git a/meta-oe/recipes-devtools/mercurial/mercurial-native_4.0.1.bb b/meta-oe/recipes-devtools/mercurial/mercurial-native_4.0.1.bb
>> deleted file mode 100644
>> index a08acd9..0000000
>> --- a/meta-oe/recipes-devtools/mercurial/mercurial-native_4.0.1.bb
>> +++ /dev/null
>> @@ -1,28 +0,0 @@
>> -SUMMARY = "The Mercurial distributed SCM"
>> -HOMEPAGE = "http://mercurial.selenic.com/"
>> -SECTION = "console/utils"
>> -LICENSE = "GPLv2"
>> -LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
>> -DEPENDS = "python-native"
>> -
>> -SRC_URI = "https://www.mercurial-scm.org/release/${BP}.tar.gz \
>> - file://mercurial-CVE-2017-9462.patch \
>> -"
>> -SRC_URI[md5sum] = "22a9b1d7c0c06a53f0ae5b386d536d08"
>> -SRC_URI[sha256sum] = "6aa4ade93c1b5e11937820880a466ebf1c824086d443cd799fc46e2617250d40"
>> -
>> -S = "${WORKDIR}/mercurial-${PV}"
>> -
>> -inherit native
>> -
>> -EXTRA_OEMAKE = "STAGING_LIBDIR=${STAGING_LIBDIR} STAGING_INCDIR=${STAGING_INCDIR} \
>> - PREFIX=${prefix}"
>> -
>> -do_configure_append () {
>> - sed -i -e 's:PYTHON=python:PYTHON=${STAGING_BINDIR_NATIVE}/python-native/python:g' ${S}/Makefile
>> -}
>> -
>> -do_install () {
>> - oe_runmake -e install-bin DESTDIR=${D} PREFIX=${prefix}
>> -}
>> -
>> diff --git a/meta-oe/recipes-devtools/mercurial/mercurial-native_4.4.1.bb b/meta-oe/recipes-devtools/mercurial/mercurial-native_4.4.1.bb
>> new file mode 100644
>> index 0000000..db2f3c4
>> --- /dev/null
>> +++ b/meta-oe/recipes-devtools/mercurial/mercurial-native_4.4.1.bb
>> @@ -0,0 +1,27 @@
>> +SUMMARY = "The Mercurial distributed SCM"
>> +HOMEPAGE = "http://mercurial.selenic.com/"
>> +SECTION = "console/utils"
>> +LICENSE = "GPLv2"
>> +LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
>> +DEPENDS = "python-native"
>> +
>> +SRC_URI = "https://www.mercurial-scm.org/release/${BP}.tar.gz \
>> +"
>> +SRC_URI[md5sum] = "37974a416d1d9525e1375c92025b16d9"
>> +SRC_URI[sha256sum] = "8f2a5512d6cc2ffb08988aef639330a2f0378e4ac3ee0e1fbbdb64d9fff56246"
>> +
>> +S = "${WORKDIR}/mercurial-${PV}"
>> +
>> +inherit native
>> +
>> +EXTRA_OEMAKE = "STAGING_LIBDIR=${STAGING_LIBDIR} STAGING_INCDIR=${STAGING_INCDIR} \
>> + PREFIX=${prefix}"
>> +
>> +do_configure_append () {
>> + sed -i -e 's:PYTHON=python:PYTHON=${STAGING_BINDIR_NATIVE}/python-native/python:g' ${S}/Makefile
>> +}
>> +
>> +do_install () {
>> + oe_runmake -e install-bin DESTDIR=${D} PREFIX=${prefix}
>> +}
>> +
>
--
---------------------
Thanks,
Zhixiong Chi
Tel: +86-10-8477-7036
prev parent reply other threads:[~2017-11-16 2:23 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-09 6:20 [meta-oe][PATCH] mercurial: Upgrade to 4.4.1 Zhixiong Chi
2017-11-09 14:14 ` Paul Barker
2017-11-16 2:19 ` akuster808
2017-11-16 2:23 ` Zhixiong Chi [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5A0CF6BB.5000407@windriver.com \
--to=zhixiong.chi@windriver.com \
--cc=akuster808@gmail.com \
--cc=openembedded-devel@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.