Bug 1696025 (CVE-2019-3902) - CVE-2019-3902 mercurial: Path-checking logic bypass via symlinks and subrepositories
Summary: CVE-2019-3902 mercurial: Path-checking logic bypass via symlinks and subrepos...
Status: NEW
Alias: CVE-2019-3902
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20190313,repor...
Keywords: Security
Depends On: 1696026 1702107 1702108
Blocks: 1696027
TreeView+ depends on / blocked
 
Reported: 2019-04-04 03:21 UTC by Pedro Sampaio
Modified: 2019-06-08 23:57 UTC (History)
10 users (show)

(edit)
Starting with version 1.5.3, Mercurial allows environment variable expansion on path names for sub repositories when creating it or cloning a parent repository, but it doesn't validate whether the final path name outside the repository root directory. An attacker can leverage this weakness using a combination of symbolic links and environment variables to craft a tampered repository, leading Mercurial to write files outside the repository as long the destination location is empty.
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)

Description Pedro Sampaio 2019-04-04 03:21:30 UTC
A flaw was found in Mercurial before 4.9. It was possible to use symlinks and subrepositories to defeat Mercurial's path-checking logic and write files outside a repository.

References:

https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.9_.282019-02-01.29

Comment 1 Pedro Sampaio 2019-04-04 03:21:44 UTC
Created mercurial tracking bugs for this issue:

Affects: fedora-all [bug 1696026]

Comment 5 Marco Benatto 2019-04-23 00:27:49 UTC
Statement:

This issue affects the versions of mercurial as shipped with Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having a security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Comment 10 Marco Benatto 2019-04-23 13:55:00 UTC
Starting with version 1.5.3 Mercurial allow environment variable expansion on path names for subrepositories
when creating it or cloning a parent repository, but it doesn't validate whether the final path name outside the repository root directory.
An attacker can leverage this weakness using a combination of symbolic links and environment variables to craft
a tampered repository, leading Mercurial to write files outside the repository as long the destination location
is empty.

This issue affects Mercurial version from 1.5.3 up to 4.8.2.

Comment 11 Marco Benatto 2019-04-23 14:09:33 UTC
External References:

https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.9_.282019-02-01.29

Comment 12 Borja Tarraso 2019-04-30 07:00:49 UTC
Tower users have already restricted permissions by bubblewrap which will mitigate this attack. Tower is not affected by this issue as bubblewrap is enabled by default.

Comment 13 Borja Tarraso 2019-04-30 07:05:21 UTC
Mercurial is not used in Openshift Online, so Openshift Online is not affected by this issue.


Note You need to log in before you can comment on or make changes to this bug.