Bug 1509868 (CVE-2017-17458)

Summary: CVE-2017-17458 mercurial: arbitrary command execution in mercurial repo with a git submodule
Product: [Other] Security Response Reporter: Cedric Buissart <cbuissar>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: katzj, mads, ndbecker2, pstodulk, skisela
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mercurial 4.4.1 Doc Type: If docs needed, set a value
Doc Text:
It was found that mercurial was vulnerable to cross repositories modification. A specially crafted mercurial repository could trigger arbitrary commands on a client during commands such as clone or update.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-01-16 14:58:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1509869    
Bug Blocks: 1509858    

Description Cedric Buissart 2017-11-06 09:06:52 UTC 
A vulnerability in Mercurial's handling of subrepositories was reported on the Mercurial Project's *public* bug tracker.

The vulnerability results in arbitrary code execution during `hg clone` or `hg pull` + `hg update` if a well-crafted repository is cloned or pulled from. The vulnerability is known to occur with Git subrepositories. But it can also possibly occur with other subrepository types. The vulnerability likely impacts Mercurial versions released for the past several years.
Comment 1 Cedric Buissart 2017-11-06 09:07:04 UTC 
External References:

https://bz.mercurial-scm.org/show_bug.cgi?id=5730
Comment 2 Cedric Buissart 2017-11-06 09:07:26 UTC 
Created mercurial tracking bugs for this issue:

Affects: fedora-all [bug 1509869]
Comment 4 Cedric Buissart 2018-01-16 14:43:08 UTC 
The fix consists of 2 distinct parts :
- prevents a mercurial sub-repository to cross another sub-repository
- disables sub-repositories by default.

Relevant patches :

 - tests: show symlink traversal across subrepo mount point (SEC)
https://www.mercurial-scm.org/repo/hg/rev/80d7dbda9294
 
 - subrepo: disallow symlink traversal across subrepo mount point (SEC)
https://www.mercurial-scm.org/repo/hg/rev/5e27afeddaee
 
 - subrepo: add config option to reject any subrepo operations (SEC)
https://www.mercurial-scm.org/repo/hg/rev/5e27afeddaee
 
 - subrepo: extend config option to disable subrepos by type (SEC)
https://www.mercurial-scm.org/repo/hg/rev/828cf35f1de6

 - subrepo: disable git and svn subrepos by default (BC) (SEC)
https://www.mercurial-scm.org/repo/hg/rev/846942fd6d15
Comment 5 Cedric Buissart 2018-01-16 14:51:20 UTC 
Statement:

This issue affects the versions of mercurial as shipped with Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Comment 6 Cedric Buissart 2018-01-16 14:51:37 UTC 
Mitigation:

Disable sub-repositories