Bug 1320155 (CVE-2016-3069)

Summary: CVE-2016-3069 mercurial: convert extension command injection via git repository names
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anemec, pstodulk, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mercurial 3.7.3 Doc Type: Bug Fix
Doc Text:
It was discovered that the Mercurial convert extension failed to sanitize special characters in Git repository names. A Git repository with a specially crafted name could cause Mercurial to execute arbitrary code when the Git repository was converted to a Mercurial repository.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-02 13:02:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1323600, 1327167, 1327168    
Bug Blocks: 1319772, 1322269    

Description Adam Mariš 2016-03-22 12:37:54 UTC 
It was reported that Convert extension in mercurial is vulnerable to command execution.

Vulnerable code:

https://selenic.com/hg/file/28575/hgext/convert/git.py#l346

Incorrect handling of command line parameters allows passing a full Git remote URL via a directory name. The Git ext:: URL scheme can be used to obtain arbitrary command execution.

Furthermore, lack of escaping of shell metacharacters allows arbitrary command injection, which is another way of exploiting the vulnerable code.
Comment 1 Adam Mariš 2016-03-22 12:37:59 UTC 
Acknowledgments:

Name: Blake Burkhart
Comment 3 Adam Mariš 2016-04-04 08:11:32 UTC 
*** Bug 1322267 has been marked as a duplicate of this bug. ***
Comment 4 Adam Mariš 2016-04-04 08:12:38 UTC 
External references:

https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.7.3_.282016-3-29.29

Upstream fixes:

https://selenic.com/repo/hg-stable/rev/197eed39e3d5
https://selenic.com/repo/hg-stable/rev/cdda7b96afff
https://selenic.com/repo/hg-stable/rev/b732e7f2aba4
https://selenic.com/repo/hg-stable/rev/80cac1de6aea
https://selenic.com/repo/hg-stable/rev/ae279d4a19e9
Comment 5 Adam Mariš 2016-04-04 08:14:22 UTC 
Created mercurial tracking bugs for this issue:

Affects: fedora-all [bug 1323600]
Comment 6 Tomas Hoger 2016-04-14 11:31:30 UTC 
This flaw is triggered by a malicious git repository name, when such repository is converted to mercurial repository.
Comment 8 errata-xmlrpc 2016-05-02 12:58:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:0706 https://rhn.redhat.com/errata/RHSA-2016-0706.html