[oe] [meta-oe][PATCH] mercurial: Upgrade to 4.4.1

Zhixiong Chi zhixiong.chi at windriver.com
Thu Nov 16 02:23:55 UTC 2017



On 2017年11月16日 10:19, akuster808 wrote:
>
> On 11/08/2017 10:20 PM, Zhixiong Chi wrote:
>> * Upgrade to the latest release to fix some CVEs:
>>   - CVE-2017-1000115: missing symlink check that can malicious repositories
>>                       to modify files outside the repository
>>   - CVE-2017-1000116: did not adequately sanitize hostnames passed to ssh,
>>                       leading to possible shell-injection attacks.
>>
>> * For other changes please see: https://www.mercurial-scm.org/wiki/WhatsNew
>>
>> * Update SRC_URI with the new download link
>>
>> Signed-off-by: Zhixiong Chi <zhixiong.chi at windriver.com>
>> ---
>>   .../mercurial/files/mercurial-CVE-2017-9462.patch  | 135 ---------------------
>>   .../mercurial/mercurial-native_4.0.1.bb            |  28 -----
>>   .../mercurial/mercurial-native_4.4.1.bb            |  27 +++++
> 4.4 was already in the pipe line and is in master. If you still want
> 4.4.1, please rebase and resend
I just send this patch for the CVE-2017-1000115 and CVE-2017-1000116, 
the 4.4 version has included
the patches, this please ignore this patch.

Thanks.
> - armin
>>   3 files changed, 27 insertions(+), 163 deletions(-)
>>   delete mode 100644 meta-oe/recipes-devtools/mercurial/files/mercurial-CVE-2017-9462.patch
>>   delete mode 100644 meta-oe/recipes-devtools/mercurial/mercurial-native_4.0.1.bb
>>   create mode 100644 meta-oe/recipes-devtools/mercurial/mercurial-native_4.4.1.bb
>>
>> diff --git a/meta-oe/recipes-devtools/mercurial/files/mercurial-CVE-2017-9462.patch b/meta-oe/recipes-devtools/mercurial/files/mercurial-CVE-2017-9462.patch
>> deleted file mode 100644
>> index 3564661..0000000
>> --- a/meta-oe/recipes-devtools/mercurial/files/mercurial-CVE-2017-9462.patch
>> +++ /dev/null
>> @@ -1,135 +0,0 @@
>> -# HG changeset patch
>> -# User Augie Fackler <augie at google.com>
>> -# Date 1492021435 25200
>> -#      Wed Apr 12 11:23:55 2017 -0700
>> -# Branch stable
>> -# Node ID 77eaf9539499a1b8be259ffe7ada787d07857f80
>> -# Parent  68f263f52d2e3e2798b4f1e55cb665c6b043f93b
>> -dispatch: protect against malicious 'hg serve --stdio' invocations (sec)
>> -
>> -Some shared-ssh installations assume that 'hg serve --stdio' is a safe
>> -command to run for minimally trusted users. Unfortunately, the messy
>> -implementation of argument parsing here meant that trying to access a
>> -repo named '--debugger' would give the user a pdb prompt, thereby
>> -sidestepping any hoped-for sandboxing. Serving repositories over HTTP(S)
>> -is unaffected.
>> -
>> -We're not currently hardening any subcommands other than 'serve'. If
>> -your service exposes other commands to users with arbitrary repository
>> -names, it is imperative that you defend against repository names of
>> -'--debugger' and anything starting with '--config'.
>> -
>> -The read-only mode of hg-ssh stopped working because it provided its hook
>> -configuration to "hg serve --stdio" via --config parameter. This is banned for
>> -security reasons now. This patch switches it to directly call ui.setconfig().
>> -If your custom hosting infrastructure relies on passing --config to
>> -"hg serve --stdio", you'll need to find a different way to get that configuration
>> -into Mercurial, either by using ui.setconfig() as hg-ssh does in this patch,
>> -or by placing an hgrc file someplace where Mercurial will read it.
>> -
>> -mitrandir at fb.com provided some extra fixes for the dispatch code and
>> -for hg-ssh in places that I overlooked.
>> -
>> -CVE: CVE-2017-9462
>> -
>> -Upstream-Status: Backport
>> -
>> -diff --git a/contrib/hg-ssh b/contrib/hg-ssh
>> ---- a/contrib/hg-ssh
>> -+++ b/contrib/hg-ssh
>> -@@ -32,7 +32,7 @@
>> - # enable importing on demand to reduce startup time
>> - from mercurial import demandimport; demandimport.enable()
>> -
>> --from mercurial import dispatch
>> -+from mercurial import dispatch, ui as uimod
>> -
>> - import sys, os, shlex
>> -
>> -@@ -61,14 +61,15 @@
>> -         repo = os.path.normpath(os.path.join(cwd, os.path.expanduser(path)))
>> -         if repo in allowed_paths:
>> -             cmd = ['-R', repo, 'serve', '--stdio']
>> -+            req = dispatch.request(cmd)
>> -             if readonly:
>> --                cmd += [
>> --                    '--config',
>> --                    'hooks.pretxnopen.hg-ssh=python:__main__.rejectpush',
>> --                    '--config',
>> --                    'hooks.prepushkey.hg-ssh=python:__main__.rejectpush'
>> --                    ]
>> --            dispatch.dispatch(dispatch.request(cmd))
>> -+                if not req.ui:
>> -+                    req.ui = uimod.ui.load()
>> -+                req.ui.setconfig('hooks', 'pretxnopen.hg-ssh',
>> -+                                 'python:__main__.rejectpush', 'hg-ssh')
>> -+                req.ui.setconfig('hooks', 'prepushkey.hg-ssh',
>> -+                                 'python:__main__.rejectpush', 'hg-ssh')
>> -+            dispatch.dispatch(req)
>> -         else:
>> -             sys.stderr.write('Illegal repository "%s"\n' % repo)
>> -             sys.exit(255)
>> -diff --git a/mercurial/dispatch.py b/mercurial/dispatch.py
>> ---- a/mercurial/dispatch.py
>> -+++ b/mercurial/dispatch.py
>> -@@ -155,6 +155,37 @@
>> -         pass # happens if called in a thread
>> -
>> -     def _runcatchfunc():
>> -+        realcmd = None
>> -+        try:
>> -+            cmdargs = fancyopts.fancyopts(req.args[:], commands.globalopts, {})
>> -+            cmd = cmdargs[0]
>> -+            aliases, entry = cmdutil.findcmd(cmd, commands.table, False)
>> -+            realcmd = aliases[0]
>> -+        except (error.UnknownCommand, error.AmbiguousCommand,
>> -+                IndexError, getopt.GetoptError):
>> -+            # Don't handle this here. We know the command is
>> -+            # invalid, but all we're worried about for now is that
>> -+            # it's not a command that server operators expect to
>> -+            # be safe to offer to users in a sandbox.
>> -+            pass
>> -+        if realcmd == 'serve' and '--stdio' in cmdargs:
>> -+            # We want to constrain 'hg serve --stdio' instances pretty
>> -+            # closely, as many shared-ssh access tools want to grant
>> -+            # access to run *only* 'hg -R $repo serve --stdio'. We
>> -+            # restrict to exactly that set of arguments, and prohibit
>> -+            # any repo name that starts with '--' to prevent
>> -+            # shenanigans wherein a user does something like pass
>> -+            # --debugger or --config=ui.debugger=1 as a repo
>> -+            # name. This used to actually run the debugger.
>> -+            if (len(req.args) != 4 or
>> -+                req.args[0] != '-R' or
>> -+                req.args[1].startswith('--') or
>> -+                req.args[2] != 'serve' or
>> -+                req.args[3] != '--stdio'):
>> -+                raise error.Abort(
>> -+                    _('potentially unsafe serve --stdio invocation: %r') %
>> -+                    (req.args,))
>> -+
>> -         try:
>> -             debugger = 'pdb'
>> -             debugtrace = {
>> -diff --git a/tests/test-ssh.t b/tests/test-ssh.t
>> ---- a/tests/test-ssh.t
>> -+++ b/tests/test-ssh.t
>> -@@ -357,6 +357,19 @@
>> -   abort: destination 'a repo' is not empty
>> -   [255]
>> -
>> -+Make sure hg is really paranoid in serve --stdio mode. It used to be
>> -+possible to get a debugger REPL by specifying a repo named --debugger.
>> -+  $ hg -R --debugger serve --stdio
>> -+  abort: potentially unsafe serve --stdio invocation: ['-R', '--debugger', 'serve', '--stdio']
>> -+  [255]
>> -+  $ hg -R --config=ui.debugger=yes serve --stdio
>> -+  abort: potentially unsafe serve --stdio invocation: ['-R', '--config=ui.debugger=yes', 'serve', '--stdio']
>> -+  [255]
>> -+Abbreviations of 'serve' also don't work, to avoid shenanigans.
>> -+  $ hg -R narf serv --stdio
>> -+  abort: potentially unsafe serve --stdio invocation: ['-R', 'narf', 'serv', '--stdio']
>> -+  [255]
>> -+
>> - Test hg-ssh using a helper script that will restore PYTHONPATH (which might
>> - have been cleared by a hg.exe wrapper) and invoke hg-ssh with the right
>> - parameters:
>> diff --git a/meta-oe/recipes-devtools/mercurial/mercurial-native_4.0.1.bb b/meta-oe/recipes-devtools/mercurial/mercurial-native_4.0.1.bb
>> deleted file mode 100644
>> index a08acd9..0000000
>> --- a/meta-oe/recipes-devtools/mercurial/mercurial-native_4.0.1.bb
>> +++ /dev/null
>> @@ -1,28 +0,0 @@
>> -SUMMARY = "The Mercurial distributed SCM"
>> -HOMEPAGE = "http://mercurial.selenic.com/"
>> -SECTION = "console/utils"
>> -LICENSE = "GPLv2"
>> -LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
>> -DEPENDS = "python-native"
>> -
>> -SRC_URI = "https://www.mercurial-scm.org/release/${BP}.tar.gz \
>> -           file://mercurial-CVE-2017-9462.patch \
>> -"
>> -SRC_URI[md5sum] = "22a9b1d7c0c06a53f0ae5b386d536d08"
>> -SRC_URI[sha256sum] = "6aa4ade93c1b5e11937820880a466ebf1c824086d443cd799fc46e2617250d40"
>> -
>> -S = "${WORKDIR}/mercurial-${PV}"
>> -
>> -inherit native
>> -
>> -EXTRA_OEMAKE = "STAGING_LIBDIR=${STAGING_LIBDIR} STAGING_INCDIR=${STAGING_INCDIR} \
>> -    PREFIX=${prefix}"
>> -
>> -do_configure_append () {
>> -    sed -i -e 's:PYTHON=python:PYTHON=${STAGING_BINDIR_NATIVE}/python-native/python:g' ${S}/Makefile
>> -}
>> -
>> -do_install () {
>> -    oe_runmake -e install-bin DESTDIR=${D} PREFIX=${prefix}
>> -}
>> -
>> diff --git a/meta-oe/recipes-devtools/mercurial/mercurial-native_4.4.1.bb b/meta-oe/recipes-devtools/mercurial/mercurial-native_4.4.1.bb
>> new file mode 100644
>> index 0000000..db2f3c4
>> --- /dev/null
>> +++ b/meta-oe/recipes-devtools/mercurial/mercurial-native_4.4.1.bb
>> @@ -0,0 +1,27 @@
>> +SUMMARY = "The Mercurial distributed SCM"
>> +HOMEPAGE = "http://mercurial.selenic.com/"
>> +SECTION = "console/utils"
>> +LICENSE = "GPLv2"
>> +LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
>> +DEPENDS = "python-native"
>> +
>> +SRC_URI = "https://www.mercurial-scm.org/release/${BP}.tar.gz \
>> +"
>> +SRC_URI[md5sum] = "37974a416d1d9525e1375c92025b16d9"
>> +SRC_URI[sha256sum] = "8f2a5512d6cc2ffb08988aef639330a2f0378e4ac3ee0e1fbbdb64d9fff56246"
>> +
>> +S = "${WORKDIR}/mercurial-${PV}"
>> +
>> +inherit native
>> +
>> +EXTRA_OEMAKE = "STAGING_LIBDIR=${STAGING_LIBDIR} STAGING_INCDIR=${STAGING_INCDIR} \
>> +    PREFIX=${prefix}"
>> +
>> +do_configure_append () {
>> +    sed -i -e 's:PYTHON=python:PYTHON=${STAGING_BINDIR_NATIVE}/python-native/python:g' ${S}/Makefile
>> +}
>> +
>> +do_install () {
>> +    oe_runmake -e install-bin DESTDIR=${D} PREFIX=${prefix}
>> +}
>> +
>

-- 
---------------------
Thanks,
Zhixiong Chi
Tel: +86-10-8477-7036




More information about the Openembedded-devel mailing list