[Python-apps-commits] r11887 - in packages/mercurial/branches/jessie/debian (3 files)
vicho at users.alioth.debian.org
vicho at users.alioth.debian.org
Fri May 1 18:04:06 UTC 2015
Date: Friday, May 1, 2015 @ 18:04:05
Author: vicho
Revision: 11887
Fix "CVE-2014-9462" by adding patch
from_upstream__sshpeer_more_thorough_shell_quoting.patch
(Closes: #783237)
Added:
packages/mercurial/branches/jessie/debian/patches/from_upstream__sshpeer_more_thorough_shell_quoting.patch
Modified:
packages/mercurial/branches/jessie/debian/changelog
packages/mercurial/branches/jessie/debian/patches/series
Modified: packages/mercurial/branches/jessie/debian/changelog
===================================================================
--- packages/mercurial/branches/jessie/debian/changelog 2015-05-01 00:14:19 UTC (rev 11886)
+++ packages/mercurial/branches/jessie/debian/changelog 2015-05-01 18:04:05 UTC (rev 11887)
@@ -1,3 +1,11 @@
+mercurial (3.1.2-3) UNRELEASED; urgency=high
+
+ * Fix "CVE-2014-9462" by adding patch
+ from_upstream__sshpeer_more_thorough_shell_quoting.patch
+ (Closes: #783237)
+
+ -- Javi Merino <vicho at debian.org> Fri, 01 May 2015 18:34:35 +0100
+
mercurial (3.1.2-2) unstable; urgency=high
* Fix "CVE-2014-9390: Errors in handling case-sensitive directories
Added: packages/mercurial/branches/jessie/debian/patches/from_upstream__sshpeer_more_thorough_shell_quoting.patch
===================================================================
--- packages/mercurial/branches/jessie/debian/patches/from_upstream__sshpeer_more_thorough_shell_quoting.patch (rev 0)
+++ packages/mercurial/branches/jessie/debian/patches/from_upstream__sshpeer_more_thorough_shell_quoting.patch 2015-05-01 18:04:05 UTC (rev 11887)
@@ -0,0 +1,31 @@
+Origin: http://selenic.com/hg/rev/e3f30068d2eb
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783237
+Description: sshpeer: more thorough shell quoting
+ This fixes CVE-2014-9462
+Applied-Upstream: 3.2.4
+
+diff --git a/mercurial/sshpeer.py b/mercurial/sshpeer.py
+--- a/mercurial/sshpeer.py
++++ b/mercurial/sshpeer.py
+@@ -20,6 +20,8 @@ class remotelock(object):
+ self.release()
+
+ def _serverquote(s):
++ if not s:
++ return s
+ '''quote a string for the remote shell ... which we assume is sh'''
+ if re.match('[a-zA-Z0-9@%_+=:,./-]*$', s):
+ return s
+@@ -45,7 +47,10 @@ class sshpeer(wireproto.wirepeer):
+ sshcmd = self.ui.config("ui", "ssh", "ssh")
+ remotecmd = self.ui.config("ui", "remotecmd", "hg")
+
+- args = util.sshargs(sshcmd, self.host, self.user, self.port)
++ args = util.sshargs(sshcmd,
++ _serverquote(self.host),
++ _serverquote(self.user),
++ _serverquote(self.port))
+
+ if create:
+ cmd = '%s %s %s' % (sshcmd, args,
+
Modified: packages/mercurial/branches/jessie/debian/patches/series
===================================================================
--- packages/mercurial/branches/jessie/debian/patches/series 2015-05-01 00:14:19 UTC (rev 11886)
+++ packages/mercurial/branches/jessie/debian/patches/series 2015-05-01 18:04:05 UTC (rev 11887)
@@ -12,3 +12,4 @@
from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch
from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch
from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch
+from_upstream__sshpeer_more_thorough_shell_quoting.patch
More information about the Python-apps-commits
mailing list