[Python-apps-commits] r11640 - in packages/mercurial/branches/jessie/debian (7 files)
vicho at users.alioth.debian.org
vicho at users.alioth.debian.org
Sun Dec 21 20:25:16 UTC 2014
Date: Sunday, December 21, 2014 @ 20:25:15
Author: vicho
Revision: 11640
Fix "CVE-2014-9390: Errors in handling case-sensitive directories
allow for remote code execution on pull" by adding patches
from_upstream__test-casefolding_t_demonstrate_a_bug_with_HFS_ignoring_some_codepoints.patch,
from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch,
from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch,
from_upstream__darwin_omit_ignorable_codepoints_when_normcaseing_a_file_path.patch
and
from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch
(Closes: #773640)
Added:
packages/mercurial/branches/jessie/debian/patches/from_upstream__darwin_omit_ignorable_codepoints_when_normcaseing_a_file_path.patch
packages/mercurial/branches/jessie/debian/patches/from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch
packages/mercurial/branches/jessie/debian/patches/from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch
packages/mercurial/branches/jessie/debian/patches/from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch
packages/mercurial/branches/jessie/debian/patches/from_upstream__test-casefolding_t_demonstrate_a_bug_with_HFS_ignoring_some_codepoints.patch
Modified:
packages/mercurial/branches/jessie/debian/changelog
packages/mercurial/branches/jessie/debian/patches/series
Modified: packages/mercurial/branches/jessie/debian/changelog
===================================================================
--- packages/mercurial/branches/jessie/debian/changelog 2014-12-21 19:48:22 UTC (rev 11639)
+++ packages/mercurial/branches/jessie/debian/changelog 2014-12-21 20:25:15 UTC (rev 11640)
@@ -1,3 +1,17 @@
+mercurial (3.1.2-2) UNRELEASED; urgency=high
+
+ * Fix "CVE-2014-9390: Errors in handling case-sensitive directories
+ allow for remote code execution on pull" by adding patches
+ from_upstream__test-casefolding_t_demonstrate_a_bug_with_HFS_ignoring_some_codepoints.patch,
+ from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch,
+ from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch,
+ from_upstream__darwin_omit_ignorable_codepoints_when_normcaseing_a_file_path.patch
+ and
+ from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch
+ (Closes: #773640)
+
+ -- Javi Merino <vicho at debian.org> Sun, 21 Dec 2014 20:51:38 +0100
+
mercurial (3.1.2-1) unstable; urgency=medium
* New upstream version
Added: packages/mercurial/branches/jessie/debian/patches/from_upstream__darwin_omit_ignorable_codepoints_when_normcaseing_a_file_path.patch
===================================================================
--- packages/mercurial/branches/jessie/debian/patches/from_upstream__darwin_omit_ignorable_codepoints_when_normcaseing_a_file_path.patch (rev 0)
+++ packages/mercurial/branches/jessie/debian/patches/from_upstream__darwin_omit_ignorable_codepoints_when_normcaseing_a_file_path.patch 2014-12-21 20:25:15 UTC (rev 11640)
@@ -0,0 +1,46 @@
+Origin: http://selenic.com/repo/hg-stable/rev/7a5bcd471f2e
+Description: darwin: omit ignorable codepoints when normcase()ing a file path
+ This lets us avoid some nasty case collision problems in OS X with
+ invisible codepoints.
+ .
+ This is a fix for CVE-2014-9390
+Applied-Upstream: 3.2.3
+
+--- a/mercurial/posix.py
++++ b/mercurial/posix.py
+@@ -204,6 +204,7 @@ if sys.platform == 'darwin':
+ - escape-encode invalid characters
+ - decompose to NFD
+ - lowercase
++ - omit ignored characters [200c-200f, 202a-202e, 206a-206f,feff]
+
+ >>> normcase('UPPER')
+ 'upper'
+@@ -262,7 +263,9 @@ if sys.platform == 'darwin':
+ u = s.decode('utf-8')
+
+ # Decompose then lowercase (HFS+ technote specifies lower)
+- return unicodedata.normalize('NFD', u).lower().encode('utf-8')
++ enc = unicodedata.normalize('NFD', u).lower().encode('utf-8')
++ # drop HFS+ ignored characters
++ return encoding.hfsignoreclean(enc)
+
+ if sys.platform == 'cygwin':
+ # workaround for cygwin, in which mount point part of path is
+--- a/tests/test-casefolding.t
++++ b/tests/test-casefolding.t
+@@ -200,12 +200,11 @@ case changes.
+ We assume anyone running the tests on a case-insensitive volume on OS
+ X will be using HFS+. If that's not true, this test will fail.
+
+-Bug: some codepoints are to be ignored on HFS+:
+-
+ $ rm A
+ >>> open(u'a\u200c'.encode('utf-8'), 'w').write('unicode is fun')
+ $ hg status
+ M A
+- ? a\xe2\x80\x8c (esc)
++
+ #endif
++
+ $ cd ..
Added: packages/mercurial/branches/jessie/debian/patches/from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch
===================================================================
--- packages/mercurial/branches/jessie/debian/patches/from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch (rev 0)
+++ packages/mercurial/branches/jessie/debian/patches/from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch 2014-12-21 20:25:15 UTC (rev 11640)
@@ -0,0 +1,44 @@
+Origin: http://selenic.com/repo/hg-stable/rev/885bd7c5c7e3
+Description: encoding: add hfsignoreclean to clean out HFS-ignored characters
+ According to Apple Technote 1150 (unavailable from Apple as far as I
+ can tell, but archived in several places online), HFS+ ignores sixteen
+ specific unicode runes when doing path normalization. We need to
+ handle those cases, so this function lets us efficiently strip the
+ offending characters from a UTF-8 encoded string (which is the only
+ way it seems to matter on OS X.)
+ .
+ This is a fix for CVE-2014-9390
+Applied-Upstream: 3.2.3
+
+diff --git a/mercurial/encoding.py b/mercurial/encoding.py
+--- a/mercurial/encoding.py
++++ b/mercurial/encoding.py
+@@ -8,6 +8,28 @@
+ import error
+ import unicodedata, locale, os
+
++# These unicode characters are ignored by HFS+ (Apple Technote 1150,
++# "Unicode Subtleties"), so we need to ignore them in some places for
++# sanity.
++_ignore = [unichr(int(x, 16)).encode("utf-8") for x in
++ "200c 200d 200e 200f 202a 202b 202c 202d 202e "
++ "206a 206b 206c 206d 206e 206f feff".split()]
++# verify the next function will work
++assert set([i[0] for i in _ignore]) == set(["\xe2", "\xef"])
++
++def hfsignoreclean(s):
++ """Remove codepoints ignored by HFS+ from s.
++
++ >>> hfsignoreclean(u'.h\u200cg'.encode('utf-8'))
++ '.hg'
++ >>> hfsignoreclean(u'.h\ufeffg'.encode('utf-8'))
++ '.hg'
++ """
++ if "\xe2" in s or "\xef" in s:
++ for c in _ignore:
++ s = s.replace(c, '')
++ return s
++
+ def _getpreferredencoding():
+ '''
+ On darwin, getpreferredencoding ignores the locale environment and
Added: packages/mercurial/branches/jessie/debian/patches/from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch
===================================================================
--- packages/mercurial/branches/jessie/debian/patches/from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch (rev 0)
+++ packages/mercurial/branches/jessie/debian/patches/from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch 2014-12-21 20:25:15 UTC (rev 11640)
@@ -0,0 +1,63 @@
+Origin: http://selenic.com/repo/hg-stable/rev/6dad422ecc5a
+Description: pathauditor: check for Windows shortname aliases
+ This is a fix for CVE-2014-9390
+Applied-Upstream: 3.2.3
+
+--- a/mercurial/pathutil.py
++++ b/mercurial/pathutil.py
+@@ -46,6 +46,13 @@ class pathauditor(object):
+ or _lowerclean(parts[0]) in ('.hg', '.hg.', '')
+ or os.pardir in parts):
+ raise util.Abort(_("path contains illegal component: %s") % path)
++ # Windows shortname aliases
++ for p in parts:
++ if "~" in p:
++ first, last = p.split("~", 1)
++ if last.isdigit() and first.upper() in ["HG", "HG8B6C"]:
++ raise util.Abort(_("path contains illegal component: %s")
++ % path)
+ if '.hg' in _lowerclean(path):
+ lparts = [_lowerclean(p.lower()) for p in parts]
+ for p in '.hg', '.hg.':
+--- a/tests/test-commit.t
++++ b/tests/test-commit.t
+@@ -435,4 +435,38 @@ verify pathauditor blocks evil filepaths
+ abort: path contains illegal component: .h\xe2\x80\x8cg/hgrc (esc)
+ [255]
+
+- $ cd ..
++ $ hg rollback -f
++ repository tip rolled back to revision 1 (undo commit)
++ $ cat > evil-commit.py <<EOF
++ > from mercurial import ui, hg, context, node
++ > notrc = "HG~1/hgrc"
++ > u = ui.ui()
++ > r = hg.repository(u, '.')
++ > def filectxfn(repo, memctx, path):
++ > return context.memfilectx(repo, path, '[hooks]\nupdate = echo owned')
++ > c = context.memctx(r, [r['tip'].node(), node.nullid],
++ > 'evil', [notrc], filectxfn, 0)
++ > r.commitctx(c)
++ > EOF
++ $ $PYTHON evil-commit.py
++ $ hg co --clean tip
++ abort: path contains illegal component: HG~1/hgrc
++ [255]
++
++ $ hg rollback -f
++ repository tip rolled back to revision 1 (undo commit)
++ $ cat > evil-commit.py <<EOF
++ > from mercurial import ui, hg, context, node
++ > notrc = "HG8B6C~2/hgrc"
++ > u = ui.ui()
++ > r = hg.repository(u, '.')
++ > def filectxfn(repo, memctx, path):
++ > return context.memfilectx(repo, path, '[hooks]\nupdate = echo owned')
++ > c = context.memctx(r, [r['tip'].node(), node.nullid],
++ > 'evil', [notrc], filectxfn, 0)
++ > r.commitctx(c)
++ > EOF
++ $ $PYTHON evil-commit.py
++ $ hg co --clean tip
++ abort: path contains illegal component: HG8B6C~2/hgrc
++ [255]
Added: packages/mercurial/branches/jessie/debian/patches/from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch
===================================================================
--- packages/mercurial/branches/jessie/debian/patches/from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch (rev 0)
+++ packages/mercurial/branches/jessie/debian/patches/from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch 2014-12-21 20:25:15 UTC (rev 11640)
@@ -0,0 +1,59 @@
+Origin: http://selenic.com/repo/hg-stable/rev/c02a05cc6f5e
+Description: pathauditor: check for codepoints ignored on OS X
+ This is a fix for CVE-2014-9390
+Applied-Upstream: 3.2.3
+
+--- a/mercurial/pathutil.py
++++ b/mercurial/pathutil.py
+@@ -1,8 +1,12 @@
+ import os, errno, stat
+
++import encoding
+ import util
+ from i18n import _
+
++def _lowerclean(s):
++ return encoding.hfsignoreclean(s.lower())
++
+ class pathauditor(object):
+ '''ensure that a filesystem path contains no banned components.
+ the following properties of a path are checked:
+@@ -39,11 +43,11 @@ class pathauditor(object):
+ raise util.Abort(_("path ends in directory separator: %s") % path)
+ parts = util.splitpath(path)
+ if (os.path.splitdrive(path)[0]
+- or parts[0].lower() in ('.hg', '.hg.', '')
++ or _lowerclean(parts[0]) in ('.hg', '.hg.', '')
+ or os.pardir in parts):
+ raise util.Abort(_("path contains illegal component: %s") % path)
+- if '.hg' in path.lower():
+- lparts = [p.lower() for p in parts]
++ if '.hg' in _lowerclean(path):
++ lparts = [_lowerclean(p.lower()) for p in parts]
+ for p in '.hg', '.hg.':
+ if p in lparts[1:]:
+ pos = lparts.index(p)
+--- a/tests/test-commit.t
++++ b/tests/test-commit.t
+@@ -418,4 +418,21 @@ commit copy
+ 0 0 6 ..... 0 26d3ca0dfd18 000000000000 000000000000 (re)
+ 1 6 7 ..... 1 d267bddd54f7 26d3ca0dfd18 000000000000 (re)
+
++verify pathauditor blocks evil filepaths
++ $ cat > evil-commit.py <<EOF
++ > from mercurial import ui, hg, context, node
++ > notrc = u".h\u200cg".encode('utf-8') + '/hgrc'
++ > u = ui.ui()
++ > r = hg.repository(u, '.')
++ > def filectxfn(repo, memctx, path):
++ > return context.memfilectx(repo, path, '[hooks]\nupdate = echo owned')
++ > c = context.memctx(r, [r['tip'].node(), node.nullid],
++ > 'evil', [notrc], filectxfn, 0)
++ > r.commitctx(c)
++ > EOF
++ $ $PYTHON evil-commit.py
++ $ hg co --clean tip
++ abort: path contains illegal component: .h\xe2\x80\x8cg/hgrc (esc)
++ [255]
++
+ $ cd ..
Added: packages/mercurial/branches/jessie/debian/patches/from_upstream__test-casefolding_t_demonstrate_a_bug_with_HFS_ignoring_some_codepoints.patch
===================================================================
--- packages/mercurial/branches/jessie/debian/patches/from_upstream__test-casefolding_t_demonstrate_a_bug_with_HFS_ignoring_some_codepoints.patch (rev 0)
+++ packages/mercurial/branches/jessie/debian/patches/from_upstream__test-casefolding_t_demonstrate_a_bug_with_HFS_ignoring_some_codepoints.patch 2014-12-21 20:25:15 UTC (rev 11640)
@@ -0,0 +1,26 @@
+Origin: http://selenic.com/repo/hg-stable/rev/035434b407be
+Description: test-casefolding.t: demonstrate a bug with HFS+ ignoring some codepoints
+ This is a fix for CVE-2014-9390
+Applied-Upstream: 3.2.3
+
+diff --git a/tests/test-casefolding.t b/tests/test-casefolding.t
+--- a/tests/test-casefolding.t
++++ b/tests/test-casefolding.t
+@@ -195,4 +195,17 @@ case changes.
+ $ hg qrefresh a # issue 3271, qrefresh with file handled case wrong
+ $ hg status # empty status means the qrefresh worked
+
++#if osx
++
++We assume anyone running the tests on a case-insensitive volume on OS
++X will be using HFS+. If that's not true, this test will fail.
++
++Bug: some codepoints are to be ignored on HFS+:
++
++ $ rm A
++ >>> open(u'a\u200c'.encode('utf-8'), 'w').write('unicode is fun')
++ $ hg status
++ M A
++ ? a\xe2\x80\x8c (esc)
++#endif
+ $ cd ..
Modified: packages/mercurial/branches/jessie/debian/patches/series
===================================================================
--- packages/mercurial/branches/jessie/debian/patches/series 2014-12-21 19:48:22 UTC (rev 11639)
+++ packages/mercurial/branches/jessie/debian/patches/series 2014-12-21 20:25:15 UTC (rev 11640)
@@ -9,3 +9,8 @@
for_upstream__dont_rm_usr_bin_python_when_running_testsuite.patch
for_upstream__lenient_test-shelve.patch
from_upstream__test-patchbomb_t_work_around_Python_change_d579866d6419_issue4188.patch
+from_upstream__test-casefolding_t_demonstrate_a_bug_with_HFS_ignoring_some_codepoints.patch
+from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch
+from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch
+from_upstream__darwin_omit_ignorable_codepoints_when_normcaseing_a_file_path.patch
+from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch
More information about the Python-apps-commits
mailing list