Bug 1319768 (CVE-2016-3068)

Summary: CVE-2016-3068 mercurial: command injection via git subrepository urls
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: anemec, pstodulk, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mercurial 3.7.3 Doc Type: Bug Fix
Doc Text:
It was discovered that Mercurial failed to properly check Git sub-repository URLs. A Mercurial repository that includes a Git sub-repository with a specially crafted URL could cause Mercurial to execute arbitrary code.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-02 13:02:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1322268, 1323599, 1327167, 1327168    
Bug Blocks: 1319772, 1322269    

Description Adam Mariš 2016-03-21 13:27:43 UTC 
It was reported that in mercurial, there is similar vulnerability as CVE-2015-7545 in git. Git's git-remote-ext remote helper provides an ext:: URL scheme that allows running arbitrary shell commands. Mercurial allows specifying git repositories as subrepositories. Git ext:: URLs can be specified as Mercurial subrepositories allowing arbitrary shell commands to be run on `hg clone ...`.
Comment 1 Adam Mariš 2016-03-21 13:27:47 UTC 
Acknowledgments:

Name: Blake Burkhart
Comment 3 Adam Mariš 2016-04-04 08:08:02 UTC 
*** Bug 1322266 has been marked as a duplicate of this bug. ***
Comment 4 Adam Mariš 2016-04-04 08:10:38 UTC 
External references:

https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.7.3_.282016-3-29.29

Upstream fix:

https://selenic.com/repo/hg-stable/rev/34d43cb85de8
Comment 5 Adam Mariš 2016-04-04 08:13:12 UTC 
Created mercurial tracking bugs for this issue:

Affects: fedora-all [bug 1323599]
Comment 6 Tomas Hoger 2016-04-14 11:27:31 UTC 
Support for git subrepos was introduced upstream in mercurial version 1.8:

https://www.mercurial-scm.org/wiki/WhatsNew/Archive#Mercurial_1.8_.282011-03-01.29

Therefore, mercurial packages in Red Hat Enterprise Linux 6 based on upstream version 1.4 were not affected by this issue.
Comment 13 errata-xmlrpc 2016-05-02 12:58:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:0706 https://rhn.redhat.com/errata/RHSA-2016-0706.html