[Python-apps-commits] r11990 - in packages/mercurial/branches/squeeze/debian (5 files)

vicho at users.alioth.debian.org vicho at users.alioth.debian.org
Tue Jun 2 19:52:18 UTC 2015 

    Date: Tuesday, June 2, 2015 @ 19:52:17
  Author: vicho
Revision: 11990

Updates from Guido

Added:
  packages/mercurial/branches/squeeze/debian/patches/from_upstream__sshpeer_even_more_thorough_shell_quoting.patch
  packages/mercurial/branches/squeeze/debian/patches/from_upstream__test_CVE-2014-930.patch
Modified:
  packages/mercurial/branches/squeeze/debian/changelog
  packages/mercurial/branches/squeeze/debian/patches/series
  packages/mercurial/branches/squeeze/debian/rules

Modified: packages/mercurial/branches/squeeze/debian/changelog
===================================================================
--- packages/mercurial/branches/squeeze/debian/changelog	2015-06-01 09:50:20 UTC (rev 11989)
+++ packages/mercurial/branches/squeeze/debian/changelog	2015-06-02 19:52:17 UTC (rev 11990)
@@ -1,5 +1,6 @@
 mercurial (1.6.4-1+deb6u1) squeeze-lts; urgency=medium
 
+  [Javi Merino]
   * Fix "CVE-2014-9462" by adding patch
     from_upstream__sshpeer_more_thorough_shell_quoting.patch
   * Fix "CVE-2014-9390: Errors in handling case-sensitive directories
@@ -8,6 +9,12 @@
     from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch,
     and
     from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch
+
+  [Guido Günther]
+  * Fix "CVE-2014-9462" by adding patch
+    from_upstream__sshpeer_even_more_thorough_shell_quoting.patch
+  * Run tests for CVE-2014-9390 by adding patch
+    from_upstream__test_CVE-2014-930.patch
   
  -- Javi Merino <vicho at debian.org>  Wed, 27 May 2015 11:49:05 +0100
 

Added: packages/mercurial/branches/squeeze/debian/patches/from_upstream__sshpeer_even_more_thorough_shell_quoting.patch
===================================================================
--- packages/mercurial/branches/squeeze/debian/patches/from_upstream__sshpeer_even_more_thorough_shell_quoting.patch	                        (rev 0)
+++ packages/mercurial/branches/squeeze/debian/patches/from_upstream__sshpeer_even_more_thorough_shell_quoting.patch	2015-06-02 19:52:17 UTC (rev 11990)
@@ -0,0 +1,36 @@
+From: =?utf-8?q?Guido_G=C3=BCnther?= <agx at sigxcpu.org>
+Date: Fri, 29 May 2015 14:37:57 +0200
+Subject: from_upstream__sshpeer_even_more_thorough_shell_quoting
+
+---
+ mercurial/sshrepo.py | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/mercurial/sshrepo.py b/mercurial/sshrepo.py
+index f487498..dd02f96 100644
+--- a/mercurial/sshrepo.py
++++ b/mercurial/sshrepo.py
+@@ -51,8 +51,9 @@ class sshrepository(repo.repository):
+                             _serverquote(self.port))
+ 
+         if create:
+-            cmd = '%s %s "%s init %s"'
+-            cmd = cmd % (sshcmd, args, remotecmd, self.path)
++            cmd = '%s %s %s' % (sshcmd, args,
++                util.shellquote("%s init %s" %
++                    (_serverquote(remotecmd), _serverquote(self.path))))
+ 
+             ui.note(_('running %s\n') % cmd)
+             res = util.system(cmd)
+@@ -68,8 +69,9 @@ class sshrepository(repo.repository):
+         # cleanup up previous run
+         self.cleanup()
+ 
+-        cmd = '%s %s "%s -R %s serve --stdio"'
+-        cmd = cmd % (sshcmd, args, remotecmd, self.path)
++        cmd = '%s %s %s' % (sshcmd, args,
++            util.shellquote("%s -R %s serve --stdio" %
++                (_serverquote(remotecmd), _serverquote(self.path))))
+ 
+         cmd = util.quotecommand(cmd)
+         ui.note(_('running %s\n') % cmd)

Added: packages/mercurial/branches/squeeze/debian/patches/from_upstream__test_CVE-2014-930.patch
===================================================================
--- packages/mercurial/branches/squeeze/debian/patches/from_upstream__test_CVE-2014-930.patch	                        (rev 0)
+++ packages/mercurial/branches/squeeze/debian/patches/from_upstream__test_CVE-2014-930.patch	2015-06-02 19:52:17 UTC (rev 11990)
@@ -0,0 +1,89 @@
+From: =?utf-8?q?Guido_G=C3=BCnther?= <agx at sigxcpu.org>
+Date: Fri, 29 May 2015 15:14:15 +0200
+Subject: from_upstream__test_CVE-2014-930
+
+---
+
+diff --git a/tests/test-CVE-2014-9390 b/tests/test-CVE-2014-9390
+new file mode 100755
+index 0000000..b62dbb1
+--- /dev/null
++++ b/tests/test-CVE-2014-9390
+@@ -0,0 +1,65 @@
++#!/bin/sh
++#
++# Tests for CVE-2014-9390
++
++PYTHON=python
++
++# Windows short names
++echo % Tests for CVE-2014-9390
++hg init test
++cd test
++
++echo foo > foo
++hg add foo
++HGEDITOR=true hg commit -m "foo"
++
++hg rollback
++cat > evil-commit.py <<EOF
++from mercurial import ui, hg, context, node
++notrc = "HG~1/hgrc"
++u = ui.ui()
++r = hg.repository(u, '.')
++def filectxfn(repo, memctx, path):
++    return context.memfilectx(path, '[hooks]\nupdate = echo owned')
++c = context.memctx(r, [r['tip'].node(), node.nullid],
++                   'evil', [notrc], filectxfn, 0)
++r.commitctx(c)
++EOF
++$PYTHON evil-commit.py
++hg co --clean tip
++
++hg rollback
++cat > evil-commit.py <<EOF
++from mercurial import ui, hg, context, node
++notrc = "HG8B6C~2/hgrc"
++u = ui.ui()
++r = hg.repository(u, '.')
++def filectxfn(repo, memctx, path):
++    return context.memfilectx(path, '[hooks]\nupdate = echo owned')
++c = context.memctx(r, [r['tip'].node(), node.nullid],
++                   'evil', [notrc], filectxfn, 0)
++r.commitctx(c)
++EOF
++$PYTHON evil-commit.py
++hg co --clean tip
++
++# Check for codepoints ignored on OS X
++cat > evil-commit.py <<EOF
++from mercurial import ui, hg, context, node
++notrc = u".h\u200cg".encode('utf-8') + '/hgrc'
++u = ui.ui()
++r = hg.repository(u, '.')
++def filectxfn(repo, memctx, path):
++    return context.memfilectx(path, '[hooks]\nupdate = echo owned')
++c = context.memctx(r, [r['tip'].node(), node.nullid],
++                   'evil', [notrc], filectxfn, 0)
++r.commitctx(c)
++EOF
++$PYTHON evil-commit.py
++hg co --clean tip
++
++cd ..
++rm -rf test
++exit 0
++
++
+diff --git a/tests/test-CVE-2014-9390.out b/tests/test-CVE-2014-9390.out
+new file mode 100644
+index 0000000..3004062
+--- /dev/null
++++ b/tests/test-CVE-2014-9390.out
+@@ -0,0 +1,6 @@
++% Tests for CVE-2014-9390
++rolling back to revision -1 (undo commit)
++abort: path contains illegal component: HG~1/hgrc
++rolling back to revision -1 (undo commit)
++abort: path contains illegal component: HG8B6C~2/hgrc
++abort: path contains illegal component: .h‌g/hgrc

Modified: packages/mercurial/branches/squeeze/debian/patches/series
===================================================================
--- packages/mercurial/branches/squeeze/debian/patches/series	2015-06-01 09:50:20 UTC (rev 11989)
+++ packages/mercurial/branches/squeeze/debian/patches/series	2015-06-02 19:52:17 UTC (rev 11990)
@@ -8,6 +8,8 @@
 proposed_upstream__correct-zeroconf-doc
 deb_specific__install-mo-fhs.patch
 from_upstream__sshpeer_more_thorough_shell_quoting.patch
+from_upstream__sshpeer_even_more_thorough_shell_quoting.patch
 from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch
 from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch
 from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch
+from_upstream__test_CVE-2014-930.patch

Modified: packages/mercurial/branches/squeeze/debian/rules
===================================================================
--- packages/mercurial/branches/squeeze/debian/rules	2015-06-01 09:50:20 UTC (rev 11989)
+++ packages/mercurial/branches/squeeze/debian/rules	2015-06-02 19:52:17 UTC (rev 11990)
@@ -11,6 +11,8 @@
 ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))
 	# Tests are not yet ready to be run in Debian build context
 	#$(MAKE) tests
+	chmod a+x tests/test-CVE-2014-9390
+	make test-CVE-2014-9390
 endif
 	# Do not start a line with a word with a dot in a manpage
 	sed -i -e 's,^[.]\(hgignore\|hg/hgrc\),\\fP\1,' doc/hg.1

More information about the Python-apps-commits mailing list