* [meta-oe][PATCH] mercurial: Upgrade to 4.4.1
@ 2017-11-09 6:20 Zhixiong Chi
2017-11-09 14:14 ` Paul Barker
2017-11-16 2:19 ` akuster808
0 siblings, 2 replies; 4+ messages in thread
From: Zhixiong Chi @ 2017-11-09 6:20 UTC (permalink / raw)
To: openembedded-devel
* Upgrade to the latest release to fix some CVEs:
- CVE-2017-1000115: missing symlink check that can malicious repositories
to modify files outside the repository
- CVE-2017-1000116: did not adequately sanitize hostnames passed to ssh,
leading to possible shell-injection attacks.
* For other changes please see: https://www.mercurial-scm.org/wiki/WhatsNew
* Update SRC_URI with the new download link
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
---
.../mercurial/files/mercurial-CVE-2017-9462.patch | 135 ---------------------
.../mercurial/mercurial-native_4.0.1.bb | 28 -----
.../mercurial/mercurial-native_4.4.1.bb | 27 +++++
3 files changed, 27 insertions(+), 163 deletions(-)
delete mode 100644 meta-oe/recipes-devtools/mercurial/files/mercurial-CVE-2017-9462.patch
delete mode 100644 meta-oe/recipes-devtools/mercurial/mercurial-native_4.0.1.bb
create mode 100644 meta-oe/recipes-devtools/mercurial/mercurial-native_4.4.1.bb
diff --git a/meta-oe/recipes-devtools/mercurial/files/mercurial-CVE-2017-9462.patch b/meta-oe/recipes-devtools/mercurial/files/mercurial-CVE-2017-9462.patch
deleted file mode 100644
index 3564661..0000000
--- a/meta-oe/recipes-devtools/mercurial/files/mercurial-CVE-2017-9462.patch
+++ /dev/null
@@ -1,135 +0,0 @@
-# HG changeset patch
-# User Augie Fackler <augie@google.com>
-# Date 1492021435 25200
-# Wed Apr 12 11:23:55 2017 -0700
-# Branch stable
-# Node ID 77eaf9539499a1b8be259ffe7ada787d07857f80
-# Parent 68f263f52d2e3e2798b4f1e55cb665c6b043f93b
-dispatch: protect against malicious 'hg serve --stdio' invocations (sec)
-
-Some shared-ssh installations assume that 'hg serve --stdio' is a safe
-command to run for minimally trusted users. Unfortunately, the messy
-implementation of argument parsing here meant that trying to access a
-repo named '--debugger' would give the user a pdb prompt, thereby
-sidestepping any hoped-for sandboxing. Serving repositories over HTTP(S)
-is unaffected.
-
-We're not currently hardening any subcommands other than 'serve'. If
-your service exposes other commands to users with arbitrary repository
-names, it is imperative that you defend against repository names of
-'--debugger' and anything starting with '--config'.
-
-The read-only mode of hg-ssh stopped working because it provided its hook
-configuration to "hg serve --stdio" via --config parameter. This is banned for
-security reasons now. This patch switches it to directly call ui.setconfig().
-If your custom hosting infrastructure relies on passing --config to
-"hg serve --stdio", you'll need to find a different way to get that configuration
-into Mercurial, either by using ui.setconfig() as hg-ssh does in this patch,
-or by placing an hgrc file someplace where Mercurial will read it.
-
-mitrandir@fb.com provided some extra fixes for the dispatch code and
-for hg-ssh in places that I overlooked.
-
-CVE: CVE-2017-9462
-
-Upstream-Status: Backport
-
-diff --git a/contrib/hg-ssh b/contrib/hg-ssh
---- a/contrib/hg-ssh
-+++ b/contrib/hg-ssh
-@@ -32,7 +32,7 @@
- # enable importing on demand to reduce startup time
- from mercurial import demandimport; demandimport.enable()
-
--from mercurial import dispatch
-+from mercurial import dispatch, ui as uimod
-
- import sys, os, shlex
-
-@@ -61,14 +61,15 @@
- repo = os.path.normpath(os.path.join(cwd, os.path.expanduser(path)))
- if repo in allowed_paths:
- cmd = ['-R', repo, 'serve', '--stdio']
-+ req = dispatch.request(cmd)
- if readonly:
-- cmd += [
-- '--config',
-- 'hooks.pretxnopen.hg-ssh=python:__main__.rejectpush',
-- '--config',
-- 'hooks.prepushkey.hg-ssh=python:__main__.rejectpush'
-- ]
-- dispatch.dispatch(dispatch.request(cmd))
-+ if not req.ui:
-+ req.ui = uimod.ui.load()
-+ req.ui.setconfig('hooks', 'pretxnopen.hg-ssh',
-+ 'python:__main__.rejectpush', 'hg-ssh')
-+ req.ui.setconfig('hooks', 'prepushkey.hg-ssh',
-+ 'python:__main__.rejectpush', 'hg-ssh')
-+ dispatch.dispatch(req)
- else:
- sys.stderr.write('Illegal repository "%s"\n' % repo)
- sys.exit(255)
-diff --git a/mercurial/dispatch.py b/mercurial/dispatch.py
---- a/mercurial/dispatch.py
-+++ b/mercurial/dispatch.py
-@@ -155,6 +155,37 @@
- pass # happens if called in a thread
-
- def _runcatchfunc():
-+ realcmd = None
-+ try:
-+ cmdargs = fancyopts.fancyopts(req.args[:], commands.globalopts, {})
-+ cmd = cmdargs[0]
-+ aliases, entry = cmdutil.findcmd(cmd, commands.table, False)
-+ realcmd = aliases[0]
-+ except (error.UnknownCommand, error.AmbiguousCommand,
-+ IndexError, getopt.GetoptError):
-+ # Don't handle this here. We know the command is
-+ # invalid, but all we're worried about for now is that
-+ # it's not a command that server operators expect to
-+ # be safe to offer to users in a sandbox.
-+ pass
-+ if realcmd == 'serve' and '--stdio' in cmdargs:
-+ # We want to constrain 'hg serve --stdio' instances pretty
-+ # closely, as many shared-ssh access tools want to grant
-+ # access to run *only* 'hg -R $repo serve --stdio'. We
-+ # restrict to exactly that set of arguments, and prohibit
-+ # any repo name that starts with '--' to prevent
-+ # shenanigans wherein a user does something like pass
-+ # --debugger or --config=ui.debugger=1 as a repo
-+ # name. This used to actually run the debugger.
-+ if (len(req.args) != 4 or
-+ req.args[0] != '-R' or
-+ req.args[1].startswith('--') or
-+ req.args[2] != 'serve' or
-+ req.args[3] != '--stdio'):
-+ raise error.Abort(
-+ _('potentially unsafe serve --stdio invocation: %r') %
-+ (req.args,))
-+
- try:
- debugger = 'pdb'
- debugtrace = {
-diff --git a/tests/test-ssh.t b/tests/test-ssh.t
---- a/tests/test-ssh.t
-+++ b/tests/test-ssh.t
-@@ -357,6 +357,19 @@
- abort: destination 'a repo' is not empty
- [255]
-
-+Make sure hg is really paranoid in serve --stdio mode. It used to be
-+possible to get a debugger REPL by specifying a repo named --debugger.
-+ $ hg -R --debugger serve --stdio
-+ abort: potentially unsafe serve --stdio invocation: ['-R', '--debugger', 'serve', '--stdio']
-+ [255]
-+ $ hg -R --config=ui.debugger=yes serve --stdio
-+ abort: potentially unsafe serve --stdio invocation: ['-R', '--config=ui.debugger=yes', 'serve', '--stdio']
-+ [255]
-+Abbreviations of 'serve' also don't work, to avoid shenanigans.
-+ $ hg -R narf serv --stdio
-+ abort: potentially unsafe serve --stdio invocation: ['-R', 'narf', 'serv', '--stdio']
-+ [255]
-+
- Test hg-ssh using a helper script that will restore PYTHONPATH (which might
- have been cleared by a hg.exe wrapper) and invoke hg-ssh with the right
- parameters:
diff --git a/meta-oe/recipes-devtools/mercurial/mercurial-native_4.0.1.bb b/meta-oe/recipes-devtools/mercurial/mercurial-native_4.0.1.bb
deleted file mode 100644
index a08acd9..0000000
--- a/meta-oe/recipes-devtools/mercurial/mercurial-native_4.0.1.bb
+++ /dev/null
@@ -1,28 +0,0 @@
-SUMMARY = "The Mercurial distributed SCM"
-HOMEPAGE = "http://mercurial.selenic.com/"
-SECTION = "console/utils"
-LICENSE = "GPLv2"
-LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
-DEPENDS = "python-native"
-
-SRC_URI = "https://www.mercurial-scm.org/release/${BP}.tar.gz \
- file://mercurial-CVE-2017-9462.patch \
-"
-SRC_URI[md5sum] = "22a9b1d7c0c06a53f0ae5b386d536d08"
-SRC_URI[sha256sum] = "6aa4ade93c1b5e11937820880a466ebf1c824086d443cd799fc46e2617250d40"
-
-S = "${WORKDIR}/mercurial-${PV}"
-
-inherit native
-
-EXTRA_OEMAKE = "STAGING_LIBDIR=${STAGING_LIBDIR} STAGING_INCDIR=${STAGING_INCDIR} \
- PREFIX=${prefix}"
-
-do_configure_append () {
- sed -i -e 's:PYTHON=python:PYTHON=${STAGING_BINDIR_NATIVE}/python-native/python:g' ${S}/Makefile
-}
-
-do_install () {
- oe_runmake -e install-bin DESTDIR=${D} PREFIX=${prefix}
-}
-
diff --git a/meta-oe/recipes-devtools/mercurial/mercurial-native_4.4.1.bb b/meta-oe/recipes-devtools/mercurial/mercurial-native_4.4.1.bb
new file mode 100644
index 0000000..db2f3c4
--- /dev/null
+++ b/meta-oe/recipes-devtools/mercurial/mercurial-native_4.4.1.bb
@@ -0,0 +1,27 @@
+SUMMARY = "The Mercurial distributed SCM"
+HOMEPAGE = "http://mercurial.selenic.com/"
+SECTION = "console/utils"
+LICENSE = "GPLv2"
+LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
+DEPENDS = "python-native"
+
+SRC_URI = "https://www.mercurial-scm.org/release/${BP}.tar.gz \
+"
+SRC_URI[md5sum] = "37974a416d1d9525e1375c92025b16d9"
+SRC_URI[sha256sum] = "8f2a5512d6cc2ffb08988aef639330a2f0378e4ac3ee0e1fbbdb64d9fff56246"
+
+S = "${WORKDIR}/mercurial-${PV}"
+
+inherit native
+
+EXTRA_OEMAKE = "STAGING_LIBDIR=${STAGING_LIBDIR} STAGING_INCDIR=${STAGING_INCDIR} \
+ PREFIX=${prefix}"
+
+do_configure_append () {
+ sed -i -e 's:PYTHON=python:PYTHON=${STAGING_BINDIR_NATIVE}/python-native/python:g' ${S}/Makefile
+}
+
+do_install () {
+ oe_runmake -e install-bin DESTDIR=${D} PREFIX=${prefix}
+}
+
--
1.9.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [meta-oe][PATCH] mercurial: Upgrade to 4.4.1
2017-11-09 6:20 [meta-oe][PATCH] mercurial: Upgrade to 4.4.1 Zhixiong Chi
@ 2017-11-09 14:14 ` Paul Barker
2017-11-16 2:19 ` akuster808
1 sibling, 0 replies; 4+ messages in thread
From: Paul Barker @ 2017-11-09 14:14 UTC (permalink / raw)
To: Zhixiong Chi; +Cc: openembedded-devel
On Thu, Nov 9, 2017 at 6:20 AM, Zhixiong Chi <zhixiong.chi@windriver.com> wrote:
> * Upgrade to the latest release to fix some CVEs:
> - CVE-2017-1000115: missing symlink check that can malicious repositories
> to modify files outside the repository
> - CVE-2017-1000116: did not adequately sanitize hostnames passed to ssh,
> leading to possible shell-injection attacks.
>
> * For other changes please see: https://www.mercurial-scm.org/wiki/WhatsNew
>
> * Update SRC_URI with the new download link
>
> Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
I sent a similar patch a few days ago which is already staged here:
http://git.openembedded.org/meta-openembedded-contrib/log/?h=jansa/master
Thanks,
--
Paul Barker
Togán Labs Ltd
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [meta-oe][PATCH] mercurial: Upgrade to 4.4.1
2017-11-09 6:20 [meta-oe][PATCH] mercurial: Upgrade to 4.4.1 Zhixiong Chi
2017-11-09 14:14 ` Paul Barker
@ 2017-11-16 2:19 ` akuster808
2017-11-16 2:23 ` Zhixiong Chi
1 sibling, 1 reply; 4+ messages in thread
From: akuster808 @ 2017-11-16 2:19 UTC (permalink / raw)
To: Zhixiong Chi, openembedded-devel
On 11/08/2017 10:20 PM, Zhixiong Chi wrote:
> * Upgrade to the latest release to fix some CVEs:
> - CVE-2017-1000115: missing symlink check that can malicious repositories
> to modify files outside the repository
> - CVE-2017-1000116: did not adequately sanitize hostnames passed to ssh,
> leading to possible shell-injection attacks.
>
> * For other changes please see: https://www.mercurial-scm.org/wiki/WhatsNew
>
> * Update SRC_URI with the new download link
>
> Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
> ---
> .../mercurial/files/mercurial-CVE-2017-9462.patch | 135 ---------------------
> .../mercurial/mercurial-native_4.0.1.bb | 28 -----
> .../mercurial/mercurial-native_4.4.1.bb | 27 +++++
4.4 was already in the pipe line and is in master. If you still want
4.4.1, please rebase and resend
- armin
> 3 files changed, 27 insertions(+), 163 deletions(-)
> delete mode 100644 meta-oe/recipes-devtools/mercurial/files/mercurial-CVE-2017-9462.patch
> delete mode 100644 meta-oe/recipes-devtools/mercurial/mercurial-native_4.0.1.bb
> create mode 100644 meta-oe/recipes-devtools/mercurial/mercurial-native_4.4.1.bb
>
> diff --git a/meta-oe/recipes-devtools/mercurial/files/mercurial-CVE-2017-9462.patch b/meta-oe/recipes-devtools/mercurial/files/mercurial-CVE-2017-9462.patch
> deleted file mode 100644
> index 3564661..0000000
> --- a/meta-oe/recipes-devtools/mercurial/files/mercurial-CVE-2017-9462.patch
> +++ /dev/null
> @@ -1,135 +0,0 @@
> -# HG changeset patch
> -# User Augie Fackler <augie@google.com>
> -# Date 1492021435 25200
> -# Wed Apr 12 11:23:55 2017 -0700
> -# Branch stable
> -# Node ID 77eaf9539499a1b8be259ffe7ada787d07857f80
> -# Parent 68f263f52d2e3e2798b4f1e55cb665c6b043f93b
> -dispatch: protect against malicious 'hg serve --stdio' invocations (sec)
> -
> -Some shared-ssh installations assume that 'hg serve --stdio' is a safe
> -command to run for minimally trusted users. Unfortunately, the messy
> -implementation of argument parsing here meant that trying to access a
> -repo named '--debugger' would give the user a pdb prompt, thereby
> -sidestepping any hoped-for sandboxing. Serving repositories over HTTP(S)
> -is unaffected.
> -
> -We're not currently hardening any subcommands other than 'serve'. If
> -your service exposes other commands to users with arbitrary repository
> -names, it is imperative that you defend against repository names of
> -'--debugger' and anything starting with '--config'.
> -
> -The read-only mode of hg-ssh stopped working because it provided its hook
> -configuration to "hg serve --stdio" via --config parameter. This is banned for
> -security reasons now. This patch switches it to directly call ui.setconfig().
> -If your custom hosting infrastructure relies on passing --config to
> -"hg serve --stdio", you'll need to find a different way to get that configuration
> -into Mercurial, either by using ui.setconfig() as hg-ssh does in this patch,
> -or by placing an hgrc file someplace where Mercurial will read it.
> -
> -mitrandir@fb.com provided some extra fixes for the dispatch code and
> -for hg-ssh in places that I overlooked.
> -
> -CVE: CVE-2017-9462
> -
> -Upstream-Status: Backport
> -
> -diff --git a/contrib/hg-ssh b/contrib/hg-ssh
> ---- a/contrib/hg-ssh
> -+++ b/contrib/hg-ssh
> -@@ -32,7 +32,7 @@
> - # enable importing on demand to reduce startup time
> - from mercurial import demandimport; demandimport.enable()
> -
> --from mercurial import dispatch
> -+from mercurial import dispatch, ui as uimod
> -
> - import sys, os, shlex
> -
> -@@ -61,14 +61,15 @@
> - repo = os.path.normpath(os.path.join(cwd, os.path.expanduser(path)))
> - if repo in allowed_paths:
> - cmd = ['-R', repo, 'serve', '--stdio']
> -+ req = dispatch.request(cmd)
> - if readonly:
> -- cmd += [
> -- '--config',
> -- 'hooks.pretxnopen.hg-ssh=python:__main__.rejectpush',
> -- '--config',
> -- 'hooks.prepushkey.hg-ssh=python:__main__.rejectpush'
> -- ]
> -- dispatch.dispatch(dispatch.request(cmd))
> -+ if not req.ui:
> -+ req.ui = uimod.ui.load()
> -+ req.ui.setconfig('hooks', 'pretxnopen.hg-ssh',
> -+ 'python:__main__.rejectpush', 'hg-ssh')
> -+ req.ui.setconfig('hooks', 'prepushkey.hg-ssh',
> -+ 'python:__main__.rejectpush', 'hg-ssh')
> -+ dispatch.dispatch(req)
> - else:
> - sys.stderr.write('Illegal repository "%s"\n' % repo)
> - sys.exit(255)
> -diff --git a/mercurial/dispatch.py b/mercurial/dispatch.py
> ---- a/mercurial/dispatch.py
> -+++ b/mercurial/dispatch.py
> -@@ -155,6 +155,37 @@
> - pass # happens if called in a thread
> -
> - def _runcatchfunc():
> -+ realcmd = None
> -+ try:
> -+ cmdargs = fancyopts.fancyopts(req.args[:], commands.globalopts, {})
> -+ cmd = cmdargs[0]
> -+ aliases, entry = cmdutil.findcmd(cmd, commands.table, False)
> -+ realcmd = aliases[0]
> -+ except (error.UnknownCommand, error.AmbiguousCommand,
> -+ IndexError, getopt.GetoptError):
> -+ # Don't handle this here. We know the command is
> -+ # invalid, but all we're worried about for now is that
> -+ # it's not a command that server operators expect to
> -+ # be safe to offer to users in a sandbox.
> -+ pass
> -+ if realcmd == 'serve' and '--stdio' in cmdargs:
> -+ # We want to constrain 'hg serve --stdio' instances pretty
> -+ # closely, as many shared-ssh access tools want to grant
> -+ # access to run *only* 'hg -R $repo serve --stdio'. We
> -+ # restrict to exactly that set of arguments, and prohibit
> -+ # any repo name that starts with '--' to prevent
> -+ # shenanigans wherein a user does something like pass
> -+ # --debugger or --config=ui.debugger=1 as a repo
> -+ # name. This used to actually run the debugger.
> -+ if (len(req.args) != 4 or
> -+ req.args[0] != '-R' or
> -+ req.args[1].startswith('--') or
> -+ req.args[2] != 'serve' or
> -+ req.args[3] != '--stdio'):
> -+ raise error.Abort(
> -+ _('potentially unsafe serve --stdio invocation: %r') %
> -+ (req.args,))
> -+
> - try:
> - debugger = 'pdb'
> - debugtrace = {
> -diff --git a/tests/test-ssh.t b/tests/test-ssh.t
> ---- a/tests/test-ssh.t
> -+++ b/tests/test-ssh.t
> -@@ -357,6 +357,19 @@
> - abort: destination 'a repo' is not empty
> - [255]
> -
> -+Make sure hg is really paranoid in serve --stdio mode. It used to be
> -+possible to get a debugger REPL by specifying a repo named --debugger.
> -+ $ hg -R --debugger serve --stdio
> -+ abort: potentially unsafe serve --stdio invocation: ['-R', '--debugger', 'serve', '--stdio']
> -+ [255]
> -+ $ hg -R --config=ui.debugger=yes serve --stdio
> -+ abort: potentially unsafe serve --stdio invocation: ['-R', '--config=ui.debugger=yes', 'serve', '--stdio']
> -+ [255]
> -+Abbreviations of 'serve' also don't work, to avoid shenanigans.
> -+ $ hg -R narf serv --stdio
> -+ abort: potentially unsafe serve --stdio invocation: ['-R', 'narf', 'serv', '--stdio']
> -+ [255]
> -+
> - Test hg-ssh using a helper script that will restore PYTHONPATH (which might
> - have been cleared by a hg.exe wrapper) and invoke hg-ssh with the right
> - parameters:
> diff --git a/meta-oe/recipes-devtools/mercurial/mercurial-native_4.0.1.bb b/meta-oe/recipes-devtools/mercurial/mercurial-native_4.0.1.bb
> deleted file mode 100644
> index a08acd9..0000000
> --- a/meta-oe/recipes-devtools/mercurial/mercurial-native_4.0.1.bb
> +++ /dev/null
> @@ -1,28 +0,0 @@
> -SUMMARY = "The Mercurial distributed SCM"
> -HOMEPAGE = "http://mercurial.selenic.com/"
> -SECTION = "console/utils"
> -LICENSE = "GPLv2"
> -LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
> -DEPENDS = "python-native"
> -
> -SRC_URI = "https://www.mercurial-scm.org/release/${BP}.tar.gz \
> - file://mercurial-CVE-2017-9462.patch \
> -"
> -SRC_URI[md5sum] = "22a9b1d7c0c06a53f0ae5b386d536d08"
> -SRC_URI[sha256sum] = "6aa4ade93c1b5e11937820880a466ebf1c824086d443cd799fc46e2617250d40"
> -
> -S = "${WORKDIR}/mercurial-${PV}"
> -
> -inherit native
> -
> -EXTRA_OEMAKE = "STAGING_LIBDIR=${STAGING_LIBDIR} STAGING_INCDIR=${STAGING_INCDIR} \
> - PREFIX=${prefix}"
> -
> -do_configure_append () {
> - sed -i -e 's:PYTHON=python:PYTHON=${STAGING_BINDIR_NATIVE}/python-native/python:g' ${S}/Makefile
> -}
> -
> -do_install () {
> - oe_runmake -e install-bin DESTDIR=${D} PREFIX=${prefix}
> -}
> -
> diff --git a/meta-oe/recipes-devtools/mercurial/mercurial-native_4.4.1.bb b/meta-oe/recipes-devtools/mercurial/mercurial-native_4.4.1.bb
> new file mode 100644
> index 0000000..db2f3c4
> --- /dev/null
> +++ b/meta-oe/recipes-devtools/mercurial/mercurial-native_4.4.1.bb
> @@ -0,0 +1,27 @@
> +SUMMARY = "The Mercurial distributed SCM"
> +HOMEPAGE = "http://mercurial.selenic.com/"
> +SECTION = "console/utils"
> +LICENSE = "GPLv2"
> +LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
> +DEPENDS = "python-native"
> +
> +SRC_URI = "https://www.mercurial-scm.org/release/${BP}.tar.gz \
> +"
> +SRC_URI[md5sum] = "37974a416d1d9525e1375c92025b16d9"
> +SRC_URI[sha256sum] = "8f2a5512d6cc2ffb08988aef639330a2f0378e4ac3ee0e1fbbdb64d9fff56246"
> +
> +S = "${WORKDIR}/mercurial-${PV}"
> +
> +inherit native
> +
> +EXTRA_OEMAKE = "STAGING_LIBDIR=${STAGING_LIBDIR} STAGING_INCDIR=${STAGING_INCDIR} \
> + PREFIX=${prefix}"
> +
> +do_configure_append () {
> + sed -i -e 's:PYTHON=python:PYTHON=${STAGING_BINDIR_NATIVE}/python-native/python:g' ${S}/Makefile
> +}
> +
> +do_install () {
> + oe_runmake -e install-bin DESTDIR=${D} PREFIX=${prefix}
> +}
> +
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [meta-oe][PATCH] mercurial: Upgrade to 4.4.1
2017-11-16 2:19 ` akuster808
@ 2017-11-16 2:23 ` Zhixiong Chi
0 siblings, 0 replies; 4+ messages in thread
From: Zhixiong Chi @ 2017-11-16 2:23 UTC (permalink / raw)
To: akuster808, openembedded-devel
On 2017年11月16日 10:19, akuster808 wrote:
>
> On 11/08/2017 10:20 PM, Zhixiong Chi wrote:
>> * Upgrade to the latest release to fix some CVEs:
>> - CVE-2017-1000115: missing symlink check that can malicious repositories
>> to modify files outside the repository
>> - CVE-2017-1000116: did not adequately sanitize hostnames passed to ssh,
>> leading to possible shell-injection attacks.
>>
>> * For other changes please see: https://www.mercurial-scm.org/wiki/WhatsNew
>>
>> * Update SRC_URI with the new download link
>>
>> Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
>> ---
>> .../mercurial/files/mercurial-CVE-2017-9462.patch | 135 ---------------------
>> .../mercurial/mercurial-native_4.0.1.bb | 28 -----
>> .../mercurial/mercurial-native_4.4.1.bb | 27 +++++
> 4.4 was already in the pipe line and is in master. If you still want
> 4.4.1, please rebase and resend
I just send this patch for the CVE-2017-1000115 and CVE-2017-1000116,
the 4.4 version has included
the patches, this please ignore this patch.
Thanks.
> - armin
>> 3 files changed, 27 insertions(+), 163 deletions(-)
>> delete mode 100644 meta-oe/recipes-devtools/mercurial/files/mercurial-CVE-2017-9462.patch
>> delete mode 100644 meta-oe/recipes-devtools/mercurial/mercurial-native_4.0.1.bb
>> create mode 100644 meta-oe/recipes-devtools/mercurial/mercurial-native_4.4.1.bb
>>
>> diff --git a/meta-oe/recipes-devtools/mercurial/files/mercurial-CVE-2017-9462.patch b/meta-oe/recipes-devtools/mercurial/files/mercurial-CVE-2017-9462.patch
>> deleted file mode 100644
>> index 3564661..0000000
>> --- a/meta-oe/recipes-devtools/mercurial/files/mercurial-CVE-2017-9462.patch
>> +++ /dev/null
>> @@ -1,135 +0,0 @@
>> -# HG changeset patch
>> -# User Augie Fackler <augie@google.com>
>> -# Date 1492021435 25200
>> -# Wed Apr 12 11:23:55 2017 -0700
>> -# Branch stable
>> -# Node ID 77eaf9539499a1b8be259ffe7ada787d07857f80
>> -# Parent 68f263f52d2e3e2798b4f1e55cb665c6b043f93b
>> -dispatch: protect against malicious 'hg serve --stdio' invocations (sec)
>> -
>> -Some shared-ssh installations assume that 'hg serve --stdio' is a safe
>> -command to run for minimally trusted users. Unfortunately, the messy
>> -implementation of argument parsing here meant that trying to access a
>> -repo named '--debugger' would give the user a pdb prompt, thereby
>> -sidestepping any hoped-for sandboxing. Serving repositories over HTTP(S)
>> -is unaffected.
>> -
>> -We're not currently hardening any subcommands other than 'serve'. If
>> -your service exposes other commands to users with arbitrary repository
>> -names, it is imperative that you defend against repository names of
>> -'--debugger' and anything starting with '--config'.
>> -
>> -The read-only mode of hg-ssh stopped working because it provided its hook
>> -configuration to "hg serve --stdio" via --config parameter. This is banned for
>> -security reasons now. This patch switches it to directly call ui.setconfig().
>> -If your custom hosting infrastructure relies on passing --config to
>> -"hg serve --stdio", you'll need to find a different way to get that configuration
>> -into Mercurial, either by using ui.setconfig() as hg-ssh does in this patch,
>> -or by placing an hgrc file someplace where Mercurial will read it.
>> -
>> -mitrandir@fb.com provided some extra fixes for the dispatch code and
>> -for hg-ssh in places that I overlooked.
>> -
>> -CVE: CVE-2017-9462
>> -
>> -Upstream-Status: Backport
>> -
>> -diff --git a/contrib/hg-ssh b/contrib/hg-ssh
>> ---- a/contrib/hg-ssh
>> -+++ b/contrib/hg-ssh
>> -@@ -32,7 +32,7 @@
>> - # enable importing on demand to reduce startup time
>> - from mercurial import demandimport; demandimport.enable()
>> -
>> --from mercurial import dispatch
>> -+from mercurial import dispatch, ui as uimod
>> -
>> - import sys, os, shlex
>> -
>> -@@ -61,14 +61,15 @@
>> - repo = os.path.normpath(os.path.join(cwd, os.path.expanduser(path)))
>> - if repo in allowed_paths:
>> - cmd = ['-R', repo, 'serve', '--stdio']
>> -+ req = dispatch.request(cmd)
>> - if readonly:
>> -- cmd += [
>> -- '--config',
>> -- 'hooks.pretxnopen.hg-ssh=python:__main__.rejectpush',
>> -- '--config',
>> -- 'hooks.prepushkey.hg-ssh=python:__main__.rejectpush'
>> -- ]
>> -- dispatch.dispatch(dispatch.request(cmd))
>> -+ if not req.ui:
>> -+ req.ui = uimod.ui.load()
>> -+ req.ui.setconfig('hooks', 'pretxnopen.hg-ssh',
>> -+ 'python:__main__.rejectpush', 'hg-ssh')
>> -+ req.ui.setconfig('hooks', 'prepushkey.hg-ssh',
>> -+ 'python:__main__.rejectpush', 'hg-ssh')
>> -+ dispatch.dispatch(req)
>> - else:
>> - sys.stderr.write('Illegal repository "%s"\n' % repo)
>> - sys.exit(255)
>> -diff --git a/mercurial/dispatch.py b/mercurial/dispatch.py
>> ---- a/mercurial/dispatch.py
>> -+++ b/mercurial/dispatch.py
>> -@@ -155,6 +155,37 @@
>> - pass # happens if called in a thread
>> -
>> - def _runcatchfunc():
>> -+ realcmd = None
>> -+ try:
>> -+ cmdargs = fancyopts.fancyopts(req.args[:], commands.globalopts, {})
>> -+ cmd = cmdargs[0]
>> -+ aliases, entry = cmdutil.findcmd(cmd, commands.table, False)
>> -+ realcmd = aliases[0]
>> -+ except (error.UnknownCommand, error.AmbiguousCommand,
>> -+ IndexError, getopt.GetoptError):
>> -+ # Don't handle this here. We know the command is
>> -+ # invalid, but all we're worried about for now is that
>> -+ # it's not a command that server operators expect to
>> -+ # be safe to offer to users in a sandbox.
>> -+ pass
>> -+ if realcmd == 'serve' and '--stdio' in cmdargs:
>> -+ # We want to constrain 'hg serve --stdio' instances pretty
>> -+ # closely, as many shared-ssh access tools want to grant
>> -+ # access to run *only* 'hg -R $repo serve --stdio'. We
>> -+ # restrict to exactly that set of arguments, and prohibit
>> -+ # any repo name that starts with '--' to prevent
>> -+ # shenanigans wherein a user does something like pass
>> -+ # --debugger or --config=ui.debugger=1 as a repo
>> -+ # name. This used to actually run the debugger.
>> -+ if (len(req.args) != 4 or
>> -+ req.args[0] != '-R' or
>> -+ req.args[1].startswith('--') or
>> -+ req.args[2] != 'serve' or
>> -+ req.args[3] != '--stdio'):
>> -+ raise error.Abort(
>> -+ _('potentially unsafe serve --stdio invocation: %r') %
>> -+ (req.args,))
>> -+
>> - try:
>> - debugger = 'pdb'
>> - debugtrace = {
>> -diff --git a/tests/test-ssh.t b/tests/test-ssh.t
>> ---- a/tests/test-ssh.t
>> -+++ b/tests/test-ssh.t
>> -@@ -357,6 +357,19 @@
>> - abort: destination 'a repo' is not empty
>> - [255]
>> -
>> -+Make sure hg is really paranoid in serve --stdio mode. It used to be
>> -+possible to get a debugger REPL by specifying a repo named --debugger.
>> -+ $ hg -R --debugger serve --stdio
>> -+ abort: potentially unsafe serve --stdio invocation: ['-R', '--debugger', 'serve', '--stdio']
>> -+ [255]
>> -+ $ hg -R --config=ui.debugger=yes serve --stdio
>> -+ abort: potentially unsafe serve --stdio invocation: ['-R', '--config=ui.debugger=yes', 'serve', '--stdio']
>> -+ [255]
>> -+Abbreviations of 'serve' also don't work, to avoid shenanigans.
>> -+ $ hg -R narf serv --stdio
>> -+ abort: potentially unsafe serve --stdio invocation: ['-R', 'narf', 'serv', '--stdio']
>> -+ [255]
>> -+
>> - Test hg-ssh using a helper script that will restore PYTHONPATH (which might
>> - have been cleared by a hg.exe wrapper) and invoke hg-ssh with the right
>> - parameters:
>> diff --git a/meta-oe/recipes-devtools/mercurial/mercurial-native_4.0.1.bb b/meta-oe/recipes-devtools/mercurial/mercurial-native_4.0.1.bb
>> deleted file mode 100644
>> index a08acd9..0000000
>> --- a/meta-oe/recipes-devtools/mercurial/mercurial-native_4.0.1.bb
>> +++ /dev/null
>> @@ -1,28 +0,0 @@
>> -SUMMARY = "The Mercurial distributed SCM"
>> -HOMEPAGE = "http://mercurial.selenic.com/"
>> -SECTION = "console/utils"
>> -LICENSE = "GPLv2"
>> -LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
>> -DEPENDS = "python-native"
>> -
>> -SRC_URI = "https://www.mercurial-scm.org/release/${BP}.tar.gz \
>> - file://mercurial-CVE-2017-9462.patch \
>> -"
>> -SRC_URI[md5sum] = "22a9b1d7c0c06a53f0ae5b386d536d08"
>> -SRC_URI[sha256sum] = "6aa4ade93c1b5e11937820880a466ebf1c824086d443cd799fc46e2617250d40"
>> -
>> -S = "${WORKDIR}/mercurial-${PV}"
>> -
>> -inherit native
>> -
>> -EXTRA_OEMAKE = "STAGING_LIBDIR=${STAGING_LIBDIR} STAGING_INCDIR=${STAGING_INCDIR} \
>> - PREFIX=${prefix}"
>> -
>> -do_configure_append () {
>> - sed -i -e 's:PYTHON=python:PYTHON=${STAGING_BINDIR_NATIVE}/python-native/python:g' ${S}/Makefile
>> -}
>> -
>> -do_install () {
>> - oe_runmake -e install-bin DESTDIR=${D} PREFIX=${prefix}
>> -}
>> -
>> diff --git a/meta-oe/recipes-devtools/mercurial/mercurial-native_4.4.1.bb b/meta-oe/recipes-devtools/mercurial/mercurial-native_4.4.1.bb
>> new file mode 100644
>> index 0000000..db2f3c4
>> --- /dev/null
>> +++ b/meta-oe/recipes-devtools/mercurial/mercurial-native_4.4.1.bb
>> @@ -0,0 +1,27 @@
>> +SUMMARY = "The Mercurial distributed SCM"
>> +HOMEPAGE = "http://mercurial.selenic.com/"
>> +SECTION = "console/utils"
>> +LICENSE = "GPLv2"
>> +LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
>> +DEPENDS = "python-native"
>> +
>> +SRC_URI = "https://www.mercurial-scm.org/release/${BP}.tar.gz \
>> +"
>> +SRC_URI[md5sum] = "37974a416d1d9525e1375c92025b16d9"
>> +SRC_URI[sha256sum] = "8f2a5512d6cc2ffb08988aef639330a2f0378e4ac3ee0e1fbbdb64d9fff56246"
>> +
>> +S = "${WORKDIR}/mercurial-${PV}"
>> +
>> +inherit native
>> +
>> +EXTRA_OEMAKE = "STAGING_LIBDIR=${STAGING_LIBDIR} STAGING_INCDIR=${STAGING_INCDIR} \
>> + PREFIX=${prefix}"
>> +
>> +do_configure_append () {
>> + sed -i -e 's:PYTHON=python:PYTHON=${STAGING_BINDIR_NATIVE}/python-native/python:g' ${S}/Makefile
>> +}
>> +
>> +do_install () {
>> + oe_runmake -e install-bin DESTDIR=${D} PREFIX=${prefix}
>> +}
>> +
>
--
---------------------
Thanks,
Zhixiong Chi
Tel: +86-10-8477-7036
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-11-16 2:23 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-11-09 6:20 [meta-oe][PATCH] mercurial: Upgrade to 4.4.1 Zhixiong Chi
2017-11-09 14:14 ` Paul Barker
2017-11-16 2:19 ` akuster808
2017-11-16 2:23 ` Zhixiong Chi
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.