Bug 1696025 (CVE-2019-3902)
| Summary: | CVE-2019-3902 mercurial: Path-checking logic bypass via symlinks and subrepositories | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | jlaska, katzj, mads, mbenatto, ndbecker2, pcahyna, pstodulk, sebastian.kisela |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | mercurial 4.9 | Doc Type: | If docs needed, set a value |
| Doc Text: |
Starting with version 1.5.3, Mercurial allows environment variable expansion on path names for sub repositories when creating it or cloning a parent repository, but it doesn't validate whether the final path name outside the repository root directory. An attacker can leverage this weakness using a combination of symbolic links and environment variables to craft a tampered repository, leading Mercurial to write files outside the repository as long the destination location is empty.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-10-27 03:28:06 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1696026, 1702107, 1702108 | ||
| Bug Blocks: | 1696027 | ||
|
Description
Pedro Sampaio
2019-04-04 03:21:30 UTC
Created mercurial tracking bugs for this issue: Affects: fedora-all [bug 1696026] Statement: This issue affects the versions of mercurial as shipped with Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having a security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. List of patches: https://www.mercurial-scm.org/repo/hg/rev/31286c9282df https://www.mercurial-scm.org/repo/hg/rev/6c10eba6b9cd https://www.mercurial-scm.org/repo/hg/rev/83377b4b4ae0 Starting with version 1.5.3 Mercurial allow environment variable expansion on path names for subrepositories when creating it or cloning a parent repository, but it doesn't validate whether the final path name outside the repository root directory. An attacker can leverage this weakness using a combination of symbolic links and environment variables to craft a tampered repository, leading Mercurial to write files outside the repository as long the destination location is empty. This issue affects Mercurial version from 1.5.3 up to 4.8.2. External References: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.9_.282019-02-01.29 Tower users have already restricted permissions by bubblewrap which will mitigate this attack. Tower is not affected by this issue as bubblewrap is enabled by default. Mercurial is not used in Openshift Online, so Openshift Online is not affected by this issue. |