[Python-apps-commits] r11965 - in packages/mercurial/branches/squeeze/debian (3 files)
vicho at users.alioth.debian.org
vicho at users.alioth.debian.org
Fri May 22 01:32:42 UTC 2015
Date: Friday, May 22, 2015 @ 01:32:37
Author: vicho
Revision: 11965
Fix "CVE-2014-9462" by adding patch
from_upstream__sshpeer_more_thorough_shell_quoting.patch
Added:
packages/mercurial/branches/squeeze/debian/patches/from_upstream__sshpeer_more_thorough_shell_quoting.patch
Modified:
packages/mercurial/branches/squeeze/debian/changelog
packages/mercurial/branches/squeeze/debian/patches/series
Modified: packages/mercurial/branches/squeeze/debian/changelog
===================================================================
--- packages/mercurial/branches/squeeze/debian/changelog 2015-05-20 20:25:16 UTC (rev 11964)
+++ packages/mercurial/branches/squeeze/debian/changelog 2015-05-22 01:32:37 UTC (rev 11965)
@@ -1,3 +1,10 @@
+mercurial (1.6.4-1+deb6u1) UNRELEASED; urgency=medium
+
+ * Fix "CVE-2014-9462" by adding patch
+ from_upstream__sshpeer_more_thorough_shell_quoting.patch
+
+ -- Javi Merino <vicho at debian.org> Tue, 19 May 2015 12:37:46 +0900
+
mercurial (1.6.4-1) unstable; urgency=low
* New upstream release 1.6.4 (Closes: #598850)
Added: packages/mercurial/branches/squeeze/debian/patches/from_upstream__sshpeer_more_thorough_shell_quoting.patch
===================================================================
--- packages/mercurial/branches/squeeze/debian/patches/from_upstream__sshpeer_more_thorough_shell_quoting.patch (rev 0)
+++ packages/mercurial/branches/squeeze/debian/patches/from_upstream__sshpeer_more_thorough_shell_quoting.patch 2015-05-22 01:32:37 UTC (rev 11965)
@@ -0,0 +1,35 @@
+Origin: http://selenic.com/hg/rev/e3f30068d2eb
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783237
+Description: sshpeer: more thorough shell quoting
+ This fixes CVE-2014-9462. Adapted to 1.6.4 by Javi Merino <vicho at debian.org>
+Applied-Upstream: 3.2.4
+
+--- a/mercurial/sshrepo.py
++++ b/mercurial/sshrepo.py
+@@ -20,6 +20,14 @@ class remotelock(object):
+ if self.repo:
+ self.release()
+
++def _serverquote(s):
++ if not s:
++ return s
++ '''quote a string for the remote shell ... which we assume is sh'''
++ if re.match('[a-zA-Z0-9@%_+=:,./-]*$', s):
++ return s
++ return "'%s'" % s.replace("'", "'\\''")
++
+ class sshrepository(repo.repository):
+ def __init__(self, ui, path, create=0):
+ self._url = path
+@@ -37,7 +45,10 @@ class sshrepository(repo.repository):
+ sshcmd = self.ui.config("ui", "ssh", "ssh")
+ remotecmd = self.ui.config("ui", "remotecmd", "hg")
+
+- args = util.sshargs(sshcmd, self.host, self.user, self.port)
++ args = util.sshargs(sshcmd,
++ _serverquote(self.host),
++ _serverquote(self.user),
++ _serverquote(self.port))
+
+ if create:
+ cmd = '%s %s "%s init %s"'
Modified: packages/mercurial/branches/squeeze/debian/patches/series
===================================================================
--- packages/mercurial/branches/squeeze/debian/patches/series 2015-05-20 20:25:16 UTC (rev 11964)
+++ packages/mercurial/branches/squeeze/debian/patches/series 2015-05-22 01:32:37 UTC (rev 11965)
@@ -7,3 +7,4 @@
deb_specific__optional-dependencies
proposed_upstream__correct-zeroconf-doc
deb_specific__install-mo-fhs.patch
+from_upstream__sshpeer_more_thorough_shell_quoting.patch
More information about the Python-apps-commits
mailing list