Bug 1320155 (CVE-2016-3069) - CVE-2016-3069 mercurial: convert extension command injection via git repository names
Summary: CVE-2016-3069 mercurial: convert extension command injection via git reposito...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-3069
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 1322267 (view as bug list)
Depends On: 1323600 1327167 1327168
Blocks: 1319772 1322269
TreeView+ depends on / blocked
 
Reported: 2016-03-22 12:37 UTC by Adam Mariš
Modified: 2021-02-17 04:08 UTC (History)
3 users (show)

Fixed In Version: mercurial 3.7.3
Doc Type: Bug Fix
Doc Text:
It was discovered that the Mercurial convert extension failed to sanitize special characters in Git repository names. A Git repository with a specially crafted name could cause Mercurial to execute arbitrary code when the Git repository was converted to a Mercurial repository.
Clone Of:
Environment:
Last Closed: 2016-05-02 13:02:42 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:0706 0 normal SHIPPED_LIVE Important: mercurial security update 2016-05-02 16:57:46 UTC

Description Adam Mariš 2016-03-22 12:37:54 UTC
It was reported that Convert extension in mercurial is vulnerable to command execution.

Vulnerable code:

https://selenic.com/hg/file/28575/hgext/convert/git.py#l346

Incorrect handling of command line parameters allows passing a full Git remote URL via a directory name. The Git ext:: URL scheme can be used to obtain arbitrary command execution.

Furthermore, lack of escaping of shell metacharacters allows arbitrary command injection, which is another way of exploiting the vulnerable code.

Comment 1 Adam Mariš 2016-03-22 12:37:59 UTC
Acknowledgments:

Name: Blake Burkhart

Comment 3 Adam Mariš 2016-04-04 08:11:32 UTC
*** Bug 1322267 has been marked as a duplicate of this bug. ***

Comment 5 Adam Mariš 2016-04-04 08:14:22 UTC
Created mercurial tracking bugs for this issue:

Affects: fedora-all [bug 1323600]

Comment 6 Tomas Hoger 2016-04-14 11:31:30 UTC
This flaw is triggered by a malicious git repository name, when such repository is converted to mercurial repository.

Comment 8 errata-xmlrpc 2016-05-02 12:58:14 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:0706 https://rhn.redhat.com/errata/RHSA-2016-0706.html


Note You need to log in before you can comment on or make changes to this bug.