[Python-apps-commits] r13257 - in packages/mercurial/branches/wheezy/debian (11 files)
vicho at users.alioth.debian.org
vicho at users.alioth.debian.org
Sat May 28 09:30:28 UTC 2016
Date: Saturday, May 28, 2016 @ 09:30:26
Author: vicho
Revision: 13257
Update to 2.2.2-4+deb7u3
Added:
packages/mercurial/branches/wheezy/debian/patches/from_upstream__convert-add-new,-non-clowny-interface-for-shelling-out-to-git.patch
packages/mercurial/branches/wheezy/debian/patches/from_upstream__convert-dead-code-removal---old-git-calling-functions.patch
packages/mercurial/branches/wheezy/debian/patches/from_upstream__convert-rewrite-calls-to-Git-to-use-the-new-shelling-mechanism.patch
packages/mercurial/branches/wheezy/debian/patches/from_upstream__convert-test-for-shell-injection-in-git-calls.patch
packages/mercurial/branches/wheezy/debian/patches/from_upstream__convert_pass_absolute_paths_to_git.patch
packages/mercurial/branches/wheezy/debian/patches/from_upstream__mpatch_rewrite_pointer_overflow_checks.patch
packages/mercurial/branches/wheezy/debian/patches/from_upstream__parsers-detect-short-records.patch
packages/mercurial/branches/wheezy/debian/patches/from_upstream__parsers-fix-list-sizing-rounding-error.patch
packages/mercurial/branches/wheezy/debian/patches/from_upstream__subrepo-set-GIT_ALLOW_PROTOCOL-to-limit-git-clone-protocols.patch
Modified:
packages/mercurial/branches/wheezy/debian/changelog
packages/mercurial/branches/wheezy/debian/patches/series
Modified: packages/mercurial/branches/wheezy/debian/changelog
===================================================================
--- packages/mercurial/branches/wheezy/debian/changelog 2016-05-28 09:24:27 UTC (rev 13256)
+++ packages/mercurial/branches/wheezy/debian/changelog 2016-05-28 09:30:26 UTC (rev 13257)
@@ -1,3 +1,29 @@
+mercurial (2.2.2-4+deb7u3) wheezy-security; urgency=high
+
+ * Non-maintainer upload by the Wheezy LTS Team.
+ * CVE-2016-3105:
+ + convert: pass absolute paths to git
+
+ -- Thorsten Alteholz <debian at alteholz.de> Fri, 06 May 2016 10:03:02 +0200
+
+mercurial (2.2.2-4+deb7u2) wheezy-security; urgency=high
+
+ * CVE-2016-3630:
+ + mpatch: rewrite pointer overflow checks (prerequisite for the following)
+ + parsers: fix list sizing rounding error
+ + parsers: detect short records
+ * CVE-2016-3068:
+ + subrepo: set GIT_ALLOW_PROTOCOL to limit git clone protocols
+ * CVE-2016-3069:
+ + convert: add new, non-clowny interface for shelling out to git
+ + convert: rewrite calls to Git to use the new shelling mechanism
+ + convert: dead code removal - old git calling functions
+ + convert: rewrite gitpipe to use common.commandline
+ + convert: test for shell injection in git calls
+ Closes: #819504
+
+ -- Julien Cristau <jcristau at debian.org> Fri, 01 Apr 2016 22:51:48 +0200
+
mercurial (2.2.2-4+deb7u1) wheezy-security; urgency=high
* Fix "CVE-2014-9462" by adding patch
Added: packages/mercurial/branches/wheezy/debian/patches/from_upstream__convert-add-new,-non-clowny-interface-for-shelling-out-to-git.patch
===================================================================
--- packages/mercurial/branches/wheezy/debian/patches/from_upstream__convert-add-new,-non-clowny-interface-for-shelling-out-to-git.patch (rev 0)
+++ packages/mercurial/branches/wheezy/debian/patches/from_upstream__convert-add-new,-non-clowny-interface-for-shelling-out-to-git.patch 2016-05-28 09:30:26 UTC (rev 13257)
@@ -0,0 +1,66 @@
+# HG changeset patch
+# User Mateusz Kwapich <mitrandir at fb.com>
+# Date 1458691511 25200
+# Tue Mar 22 17:05:11 2016 -0700
+# Branch stable
+# Node ID 197eed39e3d5e9a8cadfd9ba5839eb14cc265caa
+# Parent 34d43cb85de8d06764039d8868eee19d00fddeab
+convert: add new, non-clowny interface for shelling out to git (SEC)
+
+CVE-2016-3069 (1/5)
+
+To avoid shell injection and for the sake of simplicity let's use the
+common.commandline for calling git.
+
+--- mercurial-2.2.2.orig/hgext/convert/git.py
++++ mercurial-2.2.2/hgext/convert/git.py
+@@ -8,13 +8,13 @@
+ import os
+ from mercurial import util
+ from mercurial.node import hex, nullid
+ from mercurial.i18n import _
+
+-from common import NoRepo, commit, converter_source, checktool
++from common import NoRepo, commit, converter_source, checktool, commandline
+
+-class convert_git(converter_source):
++class convert_git(converter_source, commandline):
+ # Windows does not support GIT_DIR= construct while other systems
+ # cannot remove environment variable. Just assume none have
+ # both issues.
+ if util.safehasattr(os, 'unsetenv'):
+ def gitopen(self, s, noerr=False):
+@@ -37,17 +37,33 @@ class convert_git(converter_source):
+ (sin, so, se) = util.popen3('GIT_DIR=%s %s' % (self.path, s))
+ return so
+ else:
+ return util.popen('GIT_DIR=%s %s' % (self.path, s), 'rb')
+
++ def _gitcmd(self, cmd, *args, **kwargs):
++ return cmd('--git-dir=%s' % self.path, *args, **kwargs)
++
++ def gitrun0(self, *args, **kwargs):
++ return self._gitcmd(self.run0, *args, **kwargs)
++
++ def gitrun(self, *args, **kwargs):
++ return self._gitcmd(self.run, *args, **kwargs)
++
++ def gitrunlines0(self, *args, **kwargs):
++ return self._gitcmd(self.runlines0, *args, **kwargs)
++
++ def gitrunlines(self, *args, **kwargs):
++ return self._gitcmd(self.runlines, *args, **kwargs)
++
+ def gitread(self, s):
+ fh = self.gitopen(s)
+ data = fh.read()
+ return data, fh.close()
+
+ def __init__(self, ui, path, rev=None):
+ super(convert_git, self).__init__(ui, path, rev=rev)
++ commandline.__init__(self, ui, 'git')
+
+ if os.path.isdir(path + "/.git"):
+ path += "/.git"
+ if not os.path.exists(path + "/objects"):
+ raise NoRepo(_("%s does not look like a Git repository") % path)
Added: packages/mercurial/branches/wheezy/debian/patches/from_upstream__convert-dead-code-removal---old-git-calling-functions.patch
===================================================================
--- packages/mercurial/branches/wheezy/debian/patches/from_upstream__convert-dead-code-removal---old-git-calling-functions.patch (rev 0)
+++ packages/mercurial/branches/wheezy/debian/patches/from_upstream__convert-dead-code-removal---old-git-calling-functions.patch 2016-05-28 09:30:26 UTC (rev 13257)
@@ -0,0 +1,46 @@
+# HG changeset patch
+# User Mateusz Kwapich <mitrandir at fb.com>
+# Date 1458691511 25200
+# Tue Mar 22 17:05:11 2016 -0700
+# Branch stable
+# Node ID b732e7f2aba4c4c417278c7c7488006301551855
+# Parent cdda7b96afff3433eafdeeb83ded83a5b25b7a5b
+convert: dead code removal - old git calling functions (SEC)
+
+CVE-2016-3069 (3/5)
+
+--- mercurial-2.2.2.orig/hgext/convert/git.py
++++ mercurial-2.2.2/hgext/convert/git.py
+@@ -14,32 +14,10 @@ from common import NoRepo, commit, conve
+
+ class convert_git(converter_source, commandline):
+ # Windows does not support GIT_DIR= construct while other systems
+ # cannot remove environment variable. Just assume none have
+ # both issues.
+- if util.safehasattr(os, 'unsetenv'):
+- def gitopen(self, s, noerr=False):
+- prevgitdir = os.environ.get('GIT_DIR')
+- os.environ['GIT_DIR'] = self.path
+- try:
+- if noerr:
+- (stdin, stdout, stderr) = util.popen3(s)
+- return stdout
+- else:
+- return util.popen(s, 'rb')
+- finally:
+- if prevgitdir is None:
+- del os.environ['GIT_DIR']
+- else:
+- os.environ['GIT_DIR'] = prevgitdir
+- else:
+- def gitopen(self, s, noerr=False):
+- if noerr:
+- (sin, so, se) = util.popen3('GIT_DIR=%s %s' % (self.path, s))
+- return so
+- else:
+- return util.popen('GIT_DIR=%s %s' % (self.path, s), 'rb')
+
+ def _gitcmd(self, cmd, *args, **kwargs):
+ return cmd('--git-dir=%s' % self.path, *args, **kwargs)
+
+ def gitrun0(self, *args, **kwargs):
Added: packages/mercurial/branches/wheezy/debian/patches/from_upstream__convert-rewrite-calls-to-Git-to-use-the-new-shelling-mechanism.patch
===================================================================
--- packages/mercurial/branches/wheezy/debian/patches/from_upstream__convert-rewrite-calls-to-Git-to-use-the-new-shelling-mechanism.patch (rev 0)
+++ packages/mercurial/branches/wheezy/debian/patches/from_upstream__convert-rewrite-calls-to-Git-to-use-the-new-shelling-mechanism.patch 2016-05-28 09:30:26 UTC (rev 13257)
@@ -0,0 +1,166 @@
+# HG changeset patch
+# User Mateusz Kwapich <mitrandir at fb.com>
+# Date 1458691511 25200
+# Tue Mar 22 17:05:11 2016 -0700
+# Branch stable
+# Node ID cdda7b96afff3433eafdeeb83ded83a5b25b7a5b
+# Parent 197eed39e3d5e9a8cadfd9ba5839eb14cc265caa
+convert: rewrite calls to Git to use the new shelling mechanism (SEC)
+
+CVE-2016-3069 (2/5)
+
+One test output changed because we were ignoring git return code in numcommits
+before.
+
+[jcristau: no numcommits in 2.2, so no test change]
+
+--- mercurial-2.2.2.orig/hgext/convert/git.py
++++ mercurial-2.2.2/hgext/convert/git.py
+@@ -72,23 +72,23 @@ class convert_git(converter_source, comm
+
+ self.path = path
+
+ def getheads(self):
+ if not self.rev:
+- heads, ret = self.gitread('git rev-parse --branches --remotes')
+- heads = heads.splitlines()
++ output, status = self.gitrun('rev-parse', '--branches', '--remotes')
++ heads = output.splitlines()
+ else:
+- heads, ret = self.gitread("git rev-parse --verify %s" % self.rev)
+- heads = [heads[:-1]]
+- if ret:
++ rawhead, status = self.gitrun('rev-parse', '--verify', self.rev)
++ heads = [rawhead[:-1]]
++ if status:
+ raise util.Abort(_('cannot retrieve git heads'))
+ return heads
+
+ def catfile(self, rev, type):
+ if rev == hex(nullid):
+ raise IOError()
+- data, ret = self.gitread("git cat-file %s %s" % (type, rev))
++ data, ret = self.gitrun('cat-file', type, rev)
+ if ret:
+ raise util.Abort(_('cannot read %r object at %s') % (type, rev))
+ return data
+
+ def getfile(self, name, rev):
+@@ -96,15 +96,17 @@ class convert_git(converter_source, comm
+ mode = self.modecache[(name, rev)]
+ return data, mode
+
+ def getchanges(self, version):
+ self.modecache = {}
+- fh = self.gitopen("git diff-tree -z --root -m -r %s" % version)
++ output, status = self.gitrun('diff-tree', '-z', '--root', '-m', '-r', version)
++ if status:
++ raise util.Abort(_('cannot read changes in %s') % version)
+ changes = []
+ seen = set()
+ entry = None
+- for l in fh.read().split('\x00'):
++ for l in output.split('\x00'):
+ if not entry:
+ if not l.startswith(':'):
+ continue
+ entry = l
+ continue
+@@ -118,12 +120,10 @@ class convert_git(converter_source, comm
+ p = (entry[1] == "100755")
+ s = (entry[1] == "120000")
+ self.modecache[(f, h)] = (p and "x") or (s and "l") or ""
+ changes.append((f, h))
+ entry = None
+- if fh.close():
+- raise util.Abort(_('cannot read changes in %s') % version)
+ return (changes, {})
+
+ def getcommit(self, version):
+ c = self.catfile(version, "commit") # read the commit hash
+ end = c.find("\n\n")
+@@ -160,22 +160,23 @@ class convert_git(converter_source, comm
+ return c
+
+ def gettags(self):
+ tags = {}
+ alltags = {}
+- fh = self.gitopen('git ls-remote --tags "%s"' % self.path)
++ output, status = self.gitrunlines('ls-remote', '--tags', self.path)
++
++ if status:
++ raise util.Abort(_('cannot read tags from %s') % self.path)
+ prefix = 'refs/tags/'
+
+ # Build complete list of tags, both annotated and bare ones
+- for line in fh:
++ for line in output:
+ line = line.strip()
+ node, tag = line.split(None, 1)
+ if not tag.startswith(prefix):
+ continue
+ alltags[tag[len(prefix):]] = node
+- if fh.close():
+- raise util.Abort(_('cannot read tags from %s') % self.path)
+
+ # Filter out tag objects for annotated tag refs
+ for tag in alltags:
+ if tag.endswith('^{}'):
+ tags[tag[:-3]] = alltags[tag]
+@@ -188,22 +189,26 @@ class convert_git(converter_source, comm
+ return tags
+
+ def getchangedfiles(self, version, i):
+ changes = []
+ if i is None:
+- fh = self.gitopen("git diff-tree --root -m -r %s" % version)
+- for l in fh:
++ output, status = self.gitrunlines('diff-tree', '--root', '-m',
++ '-r', version)
++ if status:
++ raise util.Abort(_('cannot read changes in %s') % version)
++ for l in output:
+ if "\t" not in l:
+ continue
+ m, f = l[:-1].split("\t")
+ changes.append(f)
+ else:
+- fh = self.gitopen('git diff-tree --name-only --root -r %s "%s^%s" --'
+- % (version, version, i + 1))
+- changes = [f.rstrip('\n') for f in fh]
+- if fh.close():
+- raise util.Abort(_('cannot read changes in %s') % version)
++ output, status = self.gitrunlines('diff-tree', '--name-only',
++ '--root', '-r', version,
++ '%s^%s' % (version, i + 1), '--')
++ if status:
++ raise util.Abort(_('cannot read changes in %s') % version)
++ changes = [f.rstrip('\n') for f in output]
+
+ return changes
+
+ def getbookmarks(self):
+ bookmarks = {}
+@@ -211,18 +216,18 @@ class convert_git(converter_source, comm
+ # Interesting references in git are prefixed
+ prefix = 'refs/heads/'
+ prefixlen = len(prefix)
+
+ # factor two commands
+- gitcmd = { 'remote/': 'git ls-remote --heads origin',
+- '': 'git show-ref'}
++ gitcmd = { 'remote/': ['ls-remote', '--heads', 'origin'],
++ '': ['show-ref']}
+
+ # Origin heads
+ for reftype in gitcmd:
+ try:
+- fh = self.gitopen(gitcmd[reftype], noerr=True)
+- for line in fh:
++ output, status = self.gitrunlines(*gitcmd[reftype])
++ for line in output:
+ line = line.strip()
+ rev, name = line.split(None, 1)
+ if not name.startswith(prefix):
+ continue
+ name = '%s%s' % (reftype, name[prefixlen:])
Added: packages/mercurial/branches/wheezy/debian/patches/from_upstream__convert-test-for-shell-injection-in-git-calls.patch
===================================================================
--- packages/mercurial/branches/wheezy/debian/patches/from_upstream__convert-test-for-shell-injection-in-git-calls.patch (rev 0)
+++ packages/mercurial/branches/wheezy/debian/patches/from_upstream__convert-test-for-shell-injection-in-git-calls.patch 2016-05-28 09:30:26 UTC (rev 13257)
@@ -0,0 +1,40 @@
+# HG changeset patch
+# User Mateusz Kwapich <mitrandir at fb.com>
+# Date 1458692847 25200
+# Tue Mar 22 17:27:27 2016 -0700
+# Branch stable
+# Node ID ae279d4a19e9683214cbd1fe8298cf0b50571432
+# Parent 80cac1de6aea89f9d068abb09b0ea58c70bd7130
+convert: test for shell injection in git calls (SEC)
+
+CVE-2016-3069 (5/5)
+
+Before recent refactoring we were not escaping calls to git at all
+which made such injections possible. Let's have a test for that to
+avoid this problem in the future. Reported by Blake Burkhart.
+
+--- mercurial-2.2.2.orig/tests/test-convert-git.t
++++ mercurial-2.2.2/tests/test-convert-git.t
+@@ -289,5 +289,22 @@ damage git repository and convert again
+ > EOF
+ $ python damage.py
+ $ hg convert git-repo4 git-repo4-broken-hg 2>&1 | \
+ > grep 'abort:' | sed 's/abort:.*/abort:/g'
+ abort:
++
++test for escaping the repo name (CVE-2016-3069)
++
++ $ git init '`echo pwned >COMMAND-INJECTION`'
++ Initialized empty Git repository in $TESTTMP/`echo pwned >COMMAND-INJECTION`/.git/
++ $ cd '`echo pwned >COMMAND-INJECTION`'
++ $ git commit -q --allow-empty -m 'empty'
++ $ cd ..
++ $ hg convert '`echo pwned >COMMAND-INJECTION`' 'converted'
++ initializing destination converted repository
++ scanning source...
++ sorting...
++ converting...
++ 0 empty
++ updating bookmarks
++ $ test -f COMMAND-INJECTION
++ [1]
Added: packages/mercurial/branches/wheezy/debian/patches/from_upstream__convert_pass_absolute_paths_to_git.patch
===================================================================
--- packages/mercurial/branches/wheezy/debian/patches/from_upstream__convert_pass_absolute_paths_to_git.patch (rev 0)
+++ packages/mercurial/branches/wheezy/debian/patches/from_upstream__convert_pass_absolute_paths_to_git.patch 2016-05-28 09:30:26 UTC (rev 13257)
@@ -0,0 +1,70 @@
+# HG changeset patch
+# User Blake Burkhart <bburky at bburky.com>
+# Date 1460001466 18000
+# Wed Apr 06 22:57:46 2016 -0500
+# Branch stable
+# Node ID a56296f55a5e1038ea5016dace2076b693c28a56
+# Parent 27ad6cae7785b59f918f5e3ed33a2f1e88a60d4f
+convert: pass absolute paths to git (SEC)
+
+Fixes CVE-2016-3105 (1/1).
+
+Previously, it was possible for the repository path passed to git-ls-remote
+to be misinterpreted as a URL.
+
+Always passing an absolute path to git is a simple way to avoid this.
+
+Index: mercurial-2.2.2/hgext/convert/git.py
+===================================================================
+--- mercurial-2.2.2.orig/hgext/convert/git.py 2016-05-06 11:03:06.000000000 +0200
++++ mercurial-2.2.2/hgext/convert/git.py 2016-05-06 11:03:06.000000000 +0200
+@@ -41,6 +41,10 @@
+ super(convert_git, self).__init__(ui, path, rev=rev)
+ commandline.__init__(self, ui, 'git')
+
++ # Pass an absolute path to git to prevent from ever being interpreted
++ # as a URL
++ path = os.path.abspath(path)
++
+ if os.path.isdir(path + "/.git"):
+ path += "/.git"
+ if not os.path.exists(path + "/objects"):
+Index: mercurial-2.2.2/tests/test-convert-git.t
+===================================================================
+--- mercurial-2.2.2.orig/tests/test-convert-git.t 2016-05-06 11:03:06.000000000 +0200
++++ mercurial-2.2.2/tests/test-convert-git.t 2016-05-06 11:03:06.000000000 +0200
+@@ -308,3 +308,21 @@
+ updating bookmarks
+ $ test -f COMMAND-INJECTION
+ [1]
++
++test for safely passing paths to git (CVE-2016-3105)
++
++ $ git init 'ext::sh -c echo% pwned% >GIT-EXT-COMMAND-INJECTION% #'
++ Initialized empty Git repository in $TESTTMP/ext::sh -c echo% pwned% >GIT-EXT-COMMAND-INJECTION% #/.git/
++ $ cd 'ext::sh -c echo% pwned% >GIT-EXT-COMMAND-INJECTION% #'
++ $ git commit -q --allow-empty -m 'empty'
++ $ cd ..
++ $ hg convert 'ext::sh -c echo% pwned% >GIT-EXT-COMMAND-INJECTION% #' 'converted-git-ext'
++ initializing destination converted-git-ext repository
++ scanning source...
++ sorting...
++ converting...
++ 0 empty
++ updating bookmarks
++ $ test -f GIT-EXT-COMMAND-INJECTION
++ [1]
++
+Index: mercurial-2.2.2/tests/test-convert.t
+===================================================================
+--- mercurial-2.2.2.orig/tests/test-convert.t 2016-05-06 11:03:06.000000000 +0200
++++ mercurial-2.2.2/tests/test-convert.t 2016-05-06 11:03:06.000000000 +0200
+@@ -345,7 +345,7 @@
+ assuming destination emptydir-hg
+ initializing destination emptydir-hg repository
+ emptydir does not look like a CVS checkout
+- emptydir does not look like a Git repository
++ $TESTTMP/emptydir does not look like a Git repository
+ emptydir does not look like a Subversion repository
+ emptydir is not a local Mercurial repository
+ emptydir does not look like a darcs repository
Added: packages/mercurial/branches/wheezy/debian/patches/from_upstream__mpatch_rewrite_pointer_overflow_checks.patch
===================================================================
--- packages/mercurial/branches/wheezy/debian/patches/from_upstream__mpatch_rewrite_pointer_overflow_checks.patch (rev 0)
+++ packages/mercurial/branches/wheezy/debian/patches/from_upstream__mpatch_rewrite_pointer_overflow_checks.patch 2016-05-28 09:30:26 UTC (rev 13257)
@@ -0,0 +1,207 @@
+# HG changeset patch
+# User Matt Mackall <mpm at selenic.com>
+# Date 1386808422 21600
+# Wed Dec 11 18:33:42 2013 -0600
+# Branch stable
+# Node ID 09e41ac6289d878f2a2e4e7b7794f457ec7a069b
+# Parent 1ddf4409229fd9d8c610c7d327c1a72264d107f4
+mpatch: rewrite pointer overflow checks
+
+[jcristau: backport to 2.2.2
+ * Py_ssize_t -> int
+ * v1_hdrsize -> hdrsize
+]
+
+--- mercurial-2.2.2.orig/mercurial/mpatch.c
++++ mercurial-2.2.2/mercurial/mpatch.c
+@@ -199,34 +199,31 @@ static struct flist *combine(struct flis
+ /* decode a binary patch into a hunk list */
+ static struct flist *decode(const char *bin, int len)
+ {
+ struct flist *l;
+ struct frag *lt;
+- const char *data = bin + 12, *end = bin + len;
++ int pos = 0;
+
+ /* assume worst case size, we won't have many of these lists */
+ l = lalloc(len / 12);
+ if (!l)
+ return NULL;
+
+ lt = l->tail;
+
+- while (data <= end) {
+- lt->start = getbe32(bin);
+- lt->end = getbe32(bin + 4);
+- lt->len = getbe32(bin + 8);
++ while (pos >= 0 && pos < len) {
++ lt->start = getbe32(bin + pos);
++ lt->end = getbe32(bin + pos + 4);
++ lt->len = getbe32(bin + pos + 8);
+ if (lt->start > lt->end)
+ break; /* sanity check */
+- bin = data + lt->len;
+- if (bin < data)
+- break; /* big data + big (bogus) len can wrap around */
+- lt->data = data;
+- data = bin + 12;
++ lt->data = bin + pos + 12;
++ pos += 12 + lt->len;
+ lt++;
+ }
+
+- if (bin != end) {
++ if (pos != len) {
+ if (!PyErr_Occurred())
+ PyErr_SetString(mpatch_Error, "patch cannot be decoded");
+ lfree(l);
+ return NULL;
+ }
+@@ -354,36 +351,30 @@ cleanup:
+
+ /* calculate size of a patched file directly */
+ static PyObject *
+ patchedsize(PyObject *self, PyObject *args)
+ {
+- long orig, start, end, len, outlen = 0, last = 0;
++ long orig, start, end, len, outlen = 0, last = 0, pos = 0;
+ int patchlen;
+- char *bin, *binend, *data;
++ char *bin;
+
+ if (!PyArg_ParseTuple(args, "ls#", &orig, &bin, &patchlen))
+ return NULL;
+
+- binend = bin + patchlen;
+- data = bin + 12;
+-
+- while (data <= binend) {
+- start = getbe32(bin);
+- end = getbe32(bin + 4);
+- len = getbe32(bin + 8);
++ while (pos >= 0 && pos < patchlen) {
++ start = getbe32(bin + pos);
++ end = getbe32(bin + pos + 4);
++ len = getbe32(bin + pos + 8);
+ if (start > end)
+ break; /* sanity check */
+- bin = data + len;
+- if (bin < data)
+- break; /* big data + big (bogus) len can wrap around */
+- data = bin + 12;
++ pos += 12 + len;
+ outlen += start - last;
+ last = end;
+ outlen += len;
+ }
+
+- if (bin != binend) {
++ if (pos != patchlen) {
+ if (!PyErr_Occurred())
+ PyErr_SetString(mpatch_Error, "patch cannot be decoded");
+ return NULL;
+ }
+
+--- mercurial-2.2.2.orig/mercurial/parsers.c
++++ mercurial-2.2.2/mercurial/parsers.c
+@@ -137,14 +137,14 @@ quit:
+
+ static PyObject *parse_dirstate(PyObject *self, PyObject *args)
+ {
+ PyObject *dmap, *cmap, *parents = NULL, *ret = NULL;
+ PyObject *fname = NULL, *cname = NULL, *entry = NULL;
+- char *str, *cur, *end, *cpos;
++ char *cur, *str, *cpos;
+ int state, mode, size, mtime;
+ unsigned int flen;
+- int len;
++ int len, pos = 40;
+
+ if (!PyArg_ParseTuple(args, "O!O!s#:parse_dirstate",
+ &PyDict_Type, &dmap,
+ &PyDict_Type, &cmap,
+ &str, &len))
+@@ -157,22 +157,21 @@ static PyObject *parse_dirstate(PyObject
+ parents = Py_BuildValue("s#s#", str, 20, str + 20, 20);
+ if (!parents)
+ goto quit;
+
+ /* read filenames */
+- cur = str + 40;
+- end = str + len;
+-
+- while (cur < end - 17) {
++ while (pos >= 40 && pos < len) {
++ cur = str + pos;
+ /* unpack header */
+ state = *cur;
+ mode = getbe32(cur + 1);
+ size = getbe32(cur + 5);
+ mtime = getbe32(cur + 9);
+ flen = getbe32(cur + 13);
++ pos += 17;
+ cur += 17;
+- if (cur + flen > end || cur + flen < cur) {
++ if (flen > len - pos || flen < 0) {
+ PyErr_SetString(PyExc_ValueError, "overflow in dirstate");
+ goto quit;
+ }
+
+ entry = Py_BuildValue("ciii", state, mode, size, mtime);
+@@ -194,14 +193,14 @@ static PyObject *parse_dirstate(PyObject
+ fname = PyBytes_FromStringAndSize(cur, flen);
+ if (!fname ||
+ PyDict_SetItem(dmap, fname, entry) == -1)
+ goto quit;
+ }
+- cur += flen;
+ Py_DECREF(fname);
+ Py_DECREF(entry);
+ fname = cname = entry = NULL;
++ pos += flen;
+ }
+
+ ret = parents;
+ Py_INCREF(ret);
+ quit:
+@@ -928,33 +927,28 @@ static int index_assign_subscript(indexO
+ * the optional "offsets" table with those entries.
+ */
+ static long inline_scan(indexObject *self, const char **offsets)
+ {
+ const char *data = PyString_AS_STRING(self->data);
+- const char *end = data + PyString_GET_SIZE(self->data);
++ Py_ssize_t pos = 0;
++ Py_ssize_t end = PyString_GET_SIZE(self->data);
+ const long hdrsize = 64;
+ long incr = hdrsize;
+ Py_ssize_t len = 0;
+
+- while (data + hdrsize <= end) {
++ while (pos + hdrsize <= end && pos >= 0) {
+ uint32_t comp_len;
+- const char *old_data;
+ /* 3rd element of header is length of compressed inline data */
+- comp_len = getbe32(data + 8);
++ comp_len = getbe32(data + pos + 8);
+ incr = hdrsize + comp_len;
+- if (incr < hdrsize)
+- break;
+ if (offsets)
+- offsets[len] = data;
++ offsets[len] = data + pos;
+ len++;
+- old_data = data;
+- data += incr;
+- if (data <= old_data)
+- break;
++ pos += incr;
+ }
+
+- if (data != end && data + hdrsize != end) {
++ if (pos != end) {
+ if (!PyErr_Occurred())
+ PyErr_SetString(PyExc_ValueError, "corrupt index file");
+ return -1;
+ }
+
Added: packages/mercurial/branches/wheezy/debian/patches/from_upstream__parsers-detect-short-records.patch
===================================================================
--- packages/mercurial/branches/wheezy/debian/patches/from_upstream__parsers-detect-short-records.patch (rev 0)
+++ packages/mercurial/branches/wheezy/debian/patches/from_upstream__parsers-detect-short-records.patch 2016-05-28 09:30:26 UTC (rev 13257)
@@ -0,0 +1,32 @@
+# HG changeset patch
+# User Matt Mackall <mpm at selenic.com>
+# Date 1458174626 25200
+# Wed Mar 16 17:30:26 2016 -0700
+# Branch stable
+# Node ID b9714d958e89cd6ff1da46b46f39076c03325ac7
+# Parent b6ed2505d6cf1d73f7f5c62e7369c4ce65cd3732
+parsers: detect short records (SEC)
+
+CVE-2016-3630 (2/2)
+
+This addresses part of a vulnerability in binary delta application.
+
+--- mercurial-2.2.2.orig/mercurial/mpatch.c
++++ mercurial-2.2.2/mercurial/mpatch.c
+@@ -212,14 +212,14 @@ static struct flist *decode(const char *
+
+ while (pos >= 0 && pos < len) {
+ lt->start = getbe32(bin + pos);
+ lt->end = getbe32(bin + pos + 4);
+ lt->len = getbe32(bin + pos + 8);
+- if (lt->start > lt->end)
+- break; /* sanity check */
+ lt->data = bin + pos + 12;
+ pos += 12 + lt->len;
++ if (lt->start > lt->end || lt->len < 0)
++ break; /* sanity check */
+ lt++;
+ }
+
+ if (pos != len) {
+ if (!PyErr_Occurred())
Added: packages/mercurial/branches/wheezy/debian/patches/from_upstream__parsers-fix-list-sizing-rounding-error.patch
===================================================================
--- packages/mercurial/branches/wheezy/debian/patches/from_upstream__parsers-fix-list-sizing-rounding-error.patch (rev 0)
+++ packages/mercurial/branches/wheezy/debian/patches/from_upstream__parsers-fix-list-sizing-rounding-error.patch 2016-05-28 09:30:26 UTC (rev 13257)
@@ -0,0 +1,47 @@
+# HG changeset patch
+# User Matt Mackall <mpm at selenic.com>
+# Date 1458174569 25200
+# Wed Mar 16 17:29:29 2016 -0700
+# Branch stable
+# Node ID b6ed2505d6cf1d73f7f5c62e7369c4ce65cd3732
+# Parent a2c2dd399f3b9fb84edd75a930e895f0c5e4ad5b
+parsers: fix list sizing rounding error (SEC)
+
+CVE-2016-3630 (1/2)
+
+This addresses part of a vulnerability in application of binary
+deltas.
+
+--- /dev/null
++++ mercurial-2.2.2/tests/test-revlog.t
+@@ -0,0 +1,15 @@
++Test for CVE-2016-3630
++
++ $ hg init
++
++ >>> open("a.i", "w").write(
++ ... """eJxjYGZgZIAAYQYGxhgom+k/FMx8YKx9ZUaKSOyqo4cnuKb8mbqHV5cBCVTMWb1Cwqkhe4Gsg9AD
++ ... Joa3dYtcYYYBAQ8Qr4OqZAYRICPTSr5WKd/42rV36d+8/VmrNpv7NP1jQAXrQE4BqQUARngwVA=="""
++ ... .decode("base64").decode("zlib"))
++
++ $ hg debugindex a.i
++ rev offset length delta linkrev nodeid p1 p2
++ 0 0 19 -1 2 99e0332bd498 000000000000 000000000000
++ 1 19 12 0 3 6674f57a23d8 99e0332bd498 000000000000
++ $ hg debugdata a.i 1 2>&1 | grep decoded
++ mpatch.mpatchError: patch cannot be decoded
+--- mercurial-2.2.2.orig/mercurial/mpatch.c
++++ mercurial-2.2.2/mercurial/mpatch.c
+@@ -202,11 +202,11 @@ static struct flist *decode(const char *
+ struct flist *l;
+ struct frag *lt;
+ int pos = 0;
+
+ /* assume worst case size, we won't have many of these lists */
+- l = lalloc(len / 12);
++ l = lalloc(len / 12 + 1);
+ if (!l)
+ return NULL;
+
+ lt = l->tail;
+
Added: packages/mercurial/branches/wheezy/debian/patches/from_upstream__subrepo-set-GIT_ALLOW_PROTOCOL-to-limit-git-clone-protocols.patch
===================================================================
--- packages/mercurial/branches/wheezy/debian/patches/from_upstream__subrepo-set-GIT_ALLOW_PROTOCOL-to-limit-git-clone-protocols.patch (rev 0)
+++ packages/mercurial/branches/wheezy/debian/patches/from_upstream__subrepo-set-GIT_ALLOW_PROTOCOL-to-limit-git-clone-protocols.patch 2016-05-28 09:30:26 UTC (rev 13257)
@@ -0,0 +1,95 @@
+# HG changeset patch
+# User Mateusz Kwapich <mitrandir at fb.com>
+# Date 1458535941 25200
+# Sun Mar 20 21:52:21 2016 -0700
+# Branch stable
+# Node ID 34d43cb85de8d06764039d8868eee19d00fddeab
+# Parent b9714d958e89cd6ff1da46b46f39076c03325ac7
+subrepo: set GIT_ALLOW_PROTOCOL to limit git clone protocols (SEC)
+
+CVE-2016-3068 (1/1)
+
+Git's git-remote-ext remote helper provides an ext:: URL scheme that
+allows running arbitrary shell commands. This feature allows
+implementing simple git smart transports with a single shell shell
+command. However, git submodules could clone arbitrary URLs specified
+in the .gitmodules file. This was reported as CVE-2015-7545 and fixed
+in git v2.6.1.
+
+However, if a user directly clones a malicious ext URL, the git client
+will still run arbitrary shell commands.
+
+Mercurial is similarly effected. Mercurial allows specifying git
+repositories as subrepositories. Git ext:: URLs can be specified as
+Mercurial subrepositories allowing arbitrary shell commands to be run
+on `hg clone ...`.
+
+
+The Mercurial community would like to thank Blake Burkhart for
+reporting this issue. The description of the issue is copied from
+Blake's report.
+
+This commit changes submodules to pass the GIT_ALLOW_PROTOCOL env
+variable to git commands with the same list of allowed protocols that
+git submodule is using.
+
+When the GIT_ALLOW_PROTOCOL env variable is already set, we just pass it
+to git without modifications.
+
+[jcristau: update test output for wheezy version of git]
+
+--- mercurial-2.2.2.orig/mercurial/subrepo.py
++++ mercurial-2.2.2/mercurial/subrepo.py
+@@ -861,10 +861,15 @@ class gitsubrepo(abstractsubrepo):
+
+ The methods tries to call the git command. versions previor to 1.6.0
+ are not supported and very probably fail.
+ """
+ self._ui.debug('%s: git %s\n' % (self._relpath, ' '.join(commands)))
++ if env is None:
++ env = os.environ.copy()
++ # fix for Git CVE-2015-7545
++ if 'GIT_ALLOW_PROTOCOL' not in env:
++ env['GIT_ALLOW_PROTOCOL'] = 'file:git:http:https:ssh'
+ # unless ui.quiet is set, print git's stderr,
+ # which is mostly progress and useful info
+ errpipe = None
+ if self._ui.quiet:
+ errpipe = open(os.devnull, 'w')
+--- mercurial-2.2.2.orig/tests/test-subrepo-git.t
++++ mercurial-2.2.2/tests/test-subrepo-git.t
+@@ -510,5 +510,34 @@ Test subrepo already at intended revisio
+ Test forgetting files, not implemented in git subrepo, used to
+ traceback
+ $ hg forget 'notafile*'
+ notafile*: No such file or directory
+ [1]
++
++test for Git CVE-2016-3068
++ $ hg init malicious-subrepository
++ $ cd malicious-subrepository
++ $ echo "s = [git]ext::sh -c echo% pwned% >&2" > .hgsub
++ $ git init s
++ Initialized empty Git repository in $TESTTMP/ta/malicious-subrepository/s/.git/
++ $ cd s
++ $ git commit --allow-empty -m 'empty'
++ [master (root-commit) 153f934] empty
++ $ cd ..
++ $ hg add .hgsub
++ $ hg commit -m "add subrepo"
++ $ cd ..
++ $ env -u GIT_ALLOW_PROTOCOL hg clone malicious-subrepository malicious-subrepository-protected
++ fatal: transport 'ext' not allowed
++ updating to branch default
++ cloning subrepo s from ext::sh -c echo% pwned% >&2
++ abort: git clone error 128 in s
++ [255]
++
++whitelisting of ext should be respected (that's the git submodule behaviour)
++ $ env GIT_ALLOW_PROTOCOL=ext hg clone malicious-subrepository malicious-subrepository-clone-allowed
++ pwned
++ fatal: The remote end hung up unexpectedly
++ updating to branch default
++ cloning subrepo s from ext::sh -c echo% pwned% >&2
++ abort: git clone error 128 in s
++ [255]
Modified: packages/mercurial/branches/wheezy/debian/patches/series
===================================================================
--- packages/mercurial/branches/wheezy/debian/patches/series 2016-05-28 09:24:27 UTC (rev 13256)
+++ packages/mercurial/branches/wheezy/debian/patches/series 2016-05-28 09:30:26 UTC (rev 13257)
@@ -15,3 +15,12 @@
from_upstream__pathauditor_check_for_codepoints_ignored_on_OS_X.patch
from_upstream__pathauditor_check_for_Windows_shortname_aliases.patch
from_upstream__sshpeer_more_thorough_shell_quoting.patch
+from_upstream__mpatch_rewrite_pointer_overflow_checks.patch
+from_upstream__parsers-fix-list-sizing-rounding-error.patch
+from_upstream__parsers-detect-short-records.patch
+from_upstream__subrepo-set-GIT_ALLOW_PROTOCOL-to-limit-git-clone-protocols.patch
+from_upstream__convert-add-new,-non-clowny-interface-for-shelling-out-to-git.patch
+from_upstream__convert-rewrite-calls-to-Git-to-use-the-new-shelling-mechanism.patch
+from_upstream__convert-dead-code-removal---old-git-calling-functions.patch
+from_upstream__convert-test-for-shell-injection-in-git-calls.patch
+from_upstream__convert_pass_absolute_paths_to_git.patch
More information about the Python-apps-commits
mailing list