Bug 1509868 (CVE-2017-17458) - CVE-2017-17458 mercurial: arbitrary command execution in mercurial repo with a git submodule
Summary: CVE-2017-17458 mercurial: arbitrary command execution in mercurial repo with ...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2017-17458
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1509869
Blocks: 1509858
TreeView+ depends on / blocked
 
Reported: 2017-11-06 09:06 UTC by Cedric Buissart
Modified: 2021-02-17 01:17 UTC (History)
5 users (show)

Fixed In Version: mercurial 4.4.1
Doc Type: If docs needed, set a value
Doc Text:
It was found that mercurial was vulnerable to cross repositories modification. A specially crafted mercurial repository could trigger arbitrary commands on a client during commands such as clone or update.
Clone Of:
Environment:
Last Closed: 2018-01-16 14:58:23 UTC
Embargoed:


Attachments (Terms of Use)

Description Cedric Buissart 2017-11-06 09:06:52 UTC
A vulnerability in Mercurial's handling of subrepositories was reported on the Mercurial Project's *public* bug tracker.

The vulnerability results in arbitrary code execution during `hg clone` or `hg pull` + `hg update` if a well-crafted repository is cloned or pulled from. The vulnerability is known to occur with Git subrepositories. But it can also possibly occur with other subrepository types. The vulnerability likely impacts Mercurial versions released for the past several years.

Comment 1 Cedric Buissart 2017-11-06 09:07:04 UTC
External References:

https://bz.mercurial-scm.org/show_bug.cgi?id=5730

Comment 2 Cedric Buissart 2017-11-06 09:07:26 UTC
Created mercurial tracking bugs for this issue:

Affects: fedora-all [bug 1509869]

Comment 4 Cedric Buissart 2018-01-16 14:43:08 UTC
The fix consists of 2 distinct parts :
- prevents a mercurial sub-repository to cross another sub-repository
- disables sub-repositories by default.

Relevant patches :

 - tests: show symlink traversal across subrepo mount point (SEC)
https://www.mercurial-scm.org/repo/hg/rev/80d7dbda9294
 
 - subrepo: disallow symlink traversal across subrepo mount point (SEC)
https://www.mercurial-scm.org/repo/hg/rev/5e27afeddaee
 
 - subrepo: add config option to reject any subrepo operations (SEC)
https://www.mercurial-scm.org/repo/hg/rev/5e27afeddaee
 
 - subrepo: extend config option to disable subrepos by type (SEC)
https://www.mercurial-scm.org/repo/hg/rev/828cf35f1de6

 - subrepo: disable git and svn subrepos by default (BC) (SEC)
https://www.mercurial-scm.org/repo/hg/rev/846942fd6d15

Comment 5 Cedric Buissart 2018-01-16 14:51:20 UTC
Statement:

This issue affects the versions of mercurial as shipped with Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Comment 6 Cedric Buissart 2018-01-16 14:51:37 UTC
Mitigation:

Disable sub-repositories


Note You need to log in before you can comment on or make changes to this bug.