[Python-apps-commits] r11901 - in packages/mercurial/branches/wheezy/debian (3 files)
vicho at users.alioth.debian.org
vicho at users.alioth.debian.org
Wed May 6 07:07:46 UTC 2015
Date: Wednesday, May 6, 2015 @ 07:07:38
Author: vicho
Revision: 11901
Fix "CVE-2014-9462" by adding patch
from_upstream__sshpeer_more_thorough_shell_quoting.patch (Closes:
#783237)
Added:
packages/mercurial/branches/wheezy/debian/patches/from_upstream__sshpeer_more_thorough_shell_quoting.patch
Modified:
packages/mercurial/branches/wheezy/debian/changelog
packages/mercurial/branches/wheezy/debian/patches/series
Modified: packages/mercurial/branches/wheezy/debian/changelog
===================================================================
--- packages/mercurial/branches/wheezy/debian/changelog 2015-05-03 19:53:22 UTC (rev 11900)
+++ packages/mercurial/branches/wheezy/debian/changelog 2015-05-06 07:07:38 UTC (rev 11901)
@@ -1,3 +1,11 @@
+mercurial (2.2.2-4+deb7u1) UNRELEASED; urgency=medium
+
+ * Fix "CVE-2014-9462" by adding patch
+ from_upstream__sshpeer_more_thorough_shell_quoting.patch (Closes:
+ #783237)
+
+ -- Javi Merino <vicho at debian.org> Sun, 03 May 2015 20:29:11 +0100
+
mercurial (2.2.2-4) stable; urgency=high
* Security update for CVE-2014-9390: errors in handling case-sensitive
Added: packages/mercurial/branches/wheezy/debian/patches/from_upstream__sshpeer_more_thorough_shell_quoting.patch
===================================================================
--- packages/mercurial/branches/wheezy/debian/patches/from_upstream__sshpeer_more_thorough_shell_quoting.patch (rev 0)
+++ packages/mercurial/branches/wheezy/debian/patches/from_upstream__sshpeer_more_thorough_shell_quoting.patch 2015-05-06 07:07:38 UTC (rev 11901)
@@ -0,0 +1,29 @@
+Origin: http://selenic.com/hg/rev/e3f30068d2eb
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783237
+Description: sshpeer: more thorough shell quoting
+ This fixes CVE-2014-9462
+Applied-Upstream: 3.2.4
+
+--- a/mercurial/sshrepo.py
++++ b/mercurial/sshrepo.py
+@@ -20,6 +20,8 @@ class remotelock(object):
+ self.release()
+
+ def _serverquote(s):
++ if not s:
++ return s
+ '''quote a string for the remote shell ... which we assume is sh'''
+ if re.match('[a-zA-Z0-9@%_+=:,./-]*$', s):
+ return s
+@@ -44,7 +46,10 @@ class sshrepository(wireproto.wirereposi
+ sshcmd = self.ui.config("ui", "ssh", "ssh")
+ remotecmd = self.ui.config("ui", "remotecmd", "hg")
+
+- args = util.sshargs(sshcmd, self.host, self.user, self.port)
++ args = util.sshargs(sshcmd,
++ _serverquote(self.host),
++ _serverquote(self.user),
++ _serverquote(self.port))
+
+ if create:
+ cmd = '%s %s %s' % (sshcmd, args,
Modified: packages/mercurial/branches/wheezy/debian/patches/series
===================================================================
--- packages/mercurial/branches/wheezy/debian/patches/series 2015-05-03 19:53:22 UTC (rev 11900)
+++ packages/mercurial/branches/wheezy/debian/patches/series 2015-05-06 07:07:38 UTC (rev 11901)
@@ -14,3 +14,4 @@
from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch
from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch
from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch
+from_upstream__sshpeer_more_thorough_shell_quoting.patch
More information about the Python-apps-commits
mailing list