[Python-apps-commits] r11982 - in packages/mercurial/branches/squeeze/debian (5 files)
vicho at users.alioth.debian.org
vicho at users.alioth.debian.org
Wed May 27 10:15:33 UTC 2015
Date: Wednesday, May 27, 2015 @ 10:15:29
Author: vicho
Revision: 11982
Fix "CVE-2014-9390: Errors in handling case-sensitive directories
allow for remote code execution on pull" by adding patches
from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch,
from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch,
and
from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch
Added:
packages/mercurial/branches/squeeze/debian/patches/from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch
packages/mercurial/branches/squeeze/debian/patches/from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch
packages/mercurial/branches/squeeze/debian/patches/from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch
Modified:
packages/mercurial/branches/squeeze/debian/changelog
packages/mercurial/branches/squeeze/debian/patches/series
Modified: packages/mercurial/branches/squeeze/debian/changelog
===================================================================
--- packages/mercurial/branches/squeeze/debian/changelog 2015-05-26 19:44:53 UTC (rev 11981)
+++ packages/mercurial/branches/squeeze/debian/changelog 2015-05-27 10:15:29 UTC (rev 11982)
@@ -2,7 +2,13 @@
* Fix "CVE-2014-9462" by adding patch
from_upstream__sshpeer_more_thorough_shell_quoting.patch
-
+ * Fix "CVE-2014-9390: Errors in handling case-sensitive directories
+ allow for remote code execution on pull" by adding patches
+ from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch,
+ from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch,
+ and
+ from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch
+
-- Javi Merino <vicho at debian.org> Tue, 19 May 2015 12:37:46 +0900
mercurial (1.6.4-1) unstable; urgency=low
Added: packages/mercurial/branches/squeeze/debian/patches/from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch
===================================================================
--- packages/mercurial/branches/squeeze/debian/patches/from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch (rev 0)
+++ packages/mercurial/branches/squeeze/debian/patches/from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch 2015-05-27 10:15:29 UTC (rev 11982)
@@ -0,0 +1,43 @@
+Origin: http://selenic.com/repo/hg-stable/rev/885bd7c5c7e3
+Description: encoding: add hfsignoreclean to clean out HFS-ignored characters
+ According to Apple Technote 1150 (unavailable from Apple as far as I
+ can tell, but archived in several places online), HFS+ ignores sixteen
+ specific unicode runes when doing path normalization. We need to
+ handle those cases, so this function lets us efficiently strip the
+ offending characters from a UTF-8 encoded string (which is the only
+ way it seems to matter on OS X.)
+ .
+ This is a fix for CVE-2014-9390
+Applied-Upstream: 3.2.3
+
+--- a/mercurial/encoding.py
++++ b/mercurial/encoding.py
+@@ -8,6 +8,28 @@
+ import error
+ import sys, unicodedata, locale, os
+
++# These unicode characters are ignored by HFS+ (Apple Technote 1150,
++# "Unicode Subtleties"), so we need to ignore them in some places for
++# sanity.
++_ignore = [unichr(int(x, 16)).encode("utf-8") for x in
++ "200c 200d 200e 200f 202a 202b 202c 202d 202e "
++ "206a 206b 206c 206d 206e 206f feff".split()]
++# verify the next function will work
++assert set([i[0] for i in _ignore]) == set(["\xe2", "\xef"])
++
++def hfsignoreclean(s):
++ """Remove codepoints ignored by HFS+ from s.
++
++ >>> hfsignoreclean(u'.h\u200cg'.encode('utf-8'))
++ '.hg'
++ >>> hfsignoreclean(u'.h\ufeffg'.encode('utf-8'))
++ '.hg'
++ """
++ if "\xe2" in s or "\xef" in s:
++ for c in _ignore:
++ s = s.replace(c, '')
++ return s
++
+ def _getpreferredencoding():
+ '''
+ On darwin, getpreferredencoding ignores the locale environment and
Added: packages/mercurial/branches/squeeze/debian/patches/from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch
===================================================================
--- packages/mercurial/branches/squeeze/debian/patches/from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch (rev 0)
+++ packages/mercurial/branches/squeeze/debian/patches/from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch 2015-05-27 10:15:29 UTC (rev 11982)
@@ -0,0 +1,21 @@
+Origin: http://selenic.com/repo/hg-stable/rev/6dad422ecc5a
+Description: pathauditor: check for Windows shortname aliases
+ This is a fix for CVE-2014-9390
+Applied-Upstream: 3.2.3
+
+--- a/mercurial/util.py
++++ b/mercurial/util.py
+@@ -513,6 +513,13 @@ class path_auditor(object):
+ or _lowerclean(parts[0]) in ('.hg', '.hg.', '')
+ or os.pardir in parts):
+ raise Abort(_("path contains illegal component: %s") % path)
++ # Windows shortname aliases
++ for p in parts:
++ if "~" in p:
++ first, last = p.split("~", 1)
++ if last.isdigit() and first.upper() in ["HG", "HG8B6C"]:
++ raise Abort(_("path contains illegal component: %s")
++ % path)
+ if '.hg' in _lowerclean(path):
+ lparts = [_lowerclean(p.lower()) for p in parts]
+ for p in '.hg', '.hg.':
Added: packages/mercurial/branches/squeeze/debian/patches/from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch
===================================================================
--- packages/mercurial/branches/squeeze/debian/patches/from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch (rev 0)
+++ packages/mercurial/branches/squeeze/debian/patches/from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch 2015-05-27 10:15:29 UTC (rev 11982)
@@ -0,0 +1,32 @@
+Origin: http://selenic.com/repo/hg-stable/rev/c02a05cc6f5e
+Description: pathauditor: check for codepoints ignored on OS X
+ This is a fix for CVE-2014-9390
+Applied-Upstream: 3.2.3
+
+--- a/mercurial/util.py
++++ b/mercurial/util.py
+@@ -486,6 +486,9 @@ def copyfiles(src, dst, hardlink=None):
+
+ return hardlink, num
+
++def _lowerclean(s):
++ return encoding.hfsignoreclean(s.lower())
++
+ class path_auditor(object):
+ '''ensure that a filesystem path contains no banned components.
+ the following properties of a path are checked:
+@@ -507,11 +510,11 @@ class path_auditor(object):
+ normpath = os.path.normcase(path)
+ parts = splitpath(normpath)
+ if (os.path.splitdrive(path)[0]
+- or parts[0].lower() in ('.hg', '.hg.', '')
++ or _lowerclean(parts[0]) in ('.hg', '.hg.', '')
+ or os.pardir in parts):
+ raise Abort(_("path contains illegal component: %s") % path)
+- if '.hg' in path.lower():
+- lparts = [p.lower() for p in parts]
++ if '.hg' in _lowerclean(path):
++ lparts = [_lowerclean(p.lower()) for p in parts]
+ for p in '.hg', '.hg.':
+ if p in lparts[1:]:
+ pos = lparts.index(p)
Modified: packages/mercurial/branches/squeeze/debian/patches/series
===================================================================
--- packages/mercurial/branches/squeeze/debian/patches/series 2015-05-26 19:44:53 UTC (rev 11981)
+++ packages/mercurial/branches/squeeze/debian/patches/series 2015-05-27 10:15:29 UTC (rev 11982)
@@ -8,3 +8,6 @@
proposed_upstream__correct-zeroconf-doc
deb_specific__install-mo-fhs.patch
from_upstream__sshpeer_more_thorough_shell_quoting.patch
+from_upstream__encoding_add_hfsignoreclean_to_clean_out_HFS-ignored_characters.patch
+from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch
+from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch
More information about the Python-apps-commits
mailing list