2 files changed, 3 insertions, 140 deletions
diff --git a/meta-oe/recipes-devtools/mercurial/files/mercurial-CVE-2017-9462.patch b/meta-oe/recipes-devtools/mercurial/files/mercurial-CVE-2017-9462.patch
deleted file mode 100644
index 3564661b4b..0000000000
--- a/meta-oe/recipes-devtools/mercurial/files/mercurial-CVE-2017-9462.patch
+++ /dev/null
@@ -1,135 +0,0 @@
-# HG changeset patch
-# User Augie Fackler <augie@google.com>
-# Date 1492021435 25200
-#      Wed Apr 12 11:23:55 2017 -0700
-# Branch stable
-# Node ID 77eaf9539499a1b8be259ffe7ada787d07857f80
-# Parent  68f263f52d2e3e2798b4f1e55cb665c6b043f93b
-dispatch: protect against malicious 'hg serve --stdio' invocations (sec)
-Some shared-ssh installations assume that 'hg serve --stdio' is a safe
-command to run for minimally trusted users. Unfortunately, the messy
-implementation of argument parsing here meant that trying to access a
-repo named '--debugger' would give the user a pdb prompt, thereby
-sidestepping any hoped-for sandboxing. Serving repositories over HTTP(S)
-is unaffected.
-We're not currently hardening any subcommands other than 'serve'. If
-your service exposes other commands to users with arbitrary repository
-names, it is imperative that you defend against repository names of
-'--debugger' and anything starting with '--config'.
-The read-only mode of hg-ssh stopped working because it provided its hook
-configuration to "hg serve --stdio" via --config parameter. This is banned for
-security reasons now. This patch switches it to directly call ui.setconfig().
-If your custom hosting infrastructure relies on passing --config to
-"hg serve --stdio", you'll need to find a different way to get that configuration
-into Mercurial, either by using ui.setconfig() as hg-ssh does in this patch,
-or by placing an hgrc file someplace where Mercurial will read it.
-mitrandir@fb.com provided some extra fixes for the dispatch code and
-for hg-ssh in places that I overlooked.
-CVE: CVE-2017-9462
-Upstream-Status: Backport
-diff --git a/contrib/hg-ssh b/contrib/hg-ssh
--- a/contrib/hg-ssh
-+++ b/contrib/hg-ssh
-@@ -32,7 +32,7 @@
- # enable importing on demand to reduce startup time
- from mercurial import demandimport; demandimport.enable()
- 
-from mercurial import dispatch
-+from mercurial import dispatch, ui as uimod
- 
- import sys, os, shlex
- 
-@@ -61,14 +61,15 @@
-         repo = os.path.normpath(os.path.join(cwd, os.path.expanduser(path)))
-         if repo in allowed_paths:
-             cmd = ['-R', repo, 'serve', '--stdio']
-+            req = dispatch.request(cmd)
-             if readonly:
-                cmd += [
-                    '--config',
-                    'hooks.pretxnopen.hg-ssh=python:__main__.rejectpush',
-                    '--config',
-                    'hooks.prepushkey.hg-ssh=python:__main__.rejectpush'
-                    ]
-            dispatch.dispatch(dispatch.request(cmd))
-+                if not req.ui:
-+                    req.ui = uimod.ui.load()
-+                req.ui.setconfig('hooks', 'pretxnopen.hg-ssh',
-+                                 'python:__main__.rejectpush', 'hg-ssh')
-+                req.ui.setconfig('hooks', 'prepushkey.hg-ssh',
-+                                 'python:__main__.rejectpush', 'hg-ssh')
-+            dispatch.dispatch(req)
-         else:
-             sys.stderr.write('Illegal repository "%s"\n' % repo)
-             sys.exit(255)
-diff --git a/mercurial/dispatch.py b/mercurial/dispatch.py
--- a/mercurial/dispatch.py
-+++ b/mercurial/dispatch.py
-@@ -155,6 +155,37 @@
-         pass # happens if called in a thread
- 
-     def _runcatchfunc():
-+        realcmd = None
-+        try:
-+            cmdargs = fancyopts.fancyopts(req.args[:], commands.globalopts, {})
-+            cmd = cmdargs[0]
-+            aliases, entry = cmdutil.findcmd(cmd, commands.table, False)
-+            realcmd = aliases[0]
-+        except (error.UnknownCommand, error.AmbiguousCommand,
-+                IndexError, getopt.GetoptError):
-+            # Don't handle this here. We know the command is
-+            # invalid, but all we're worried about for now is that
-+            # it's not a command that server operators expect to
-+            # be safe to offer to users in a sandbox.
-+            pass
-+        if realcmd == 'serve' and '--stdio' in cmdargs:
-+            # We want to constrain 'hg serve --stdio' instances pretty
-+            # closely, as many shared-ssh access tools want to grant
-+            # access to run *only* 'hg -R $repo serve --stdio'. We
-+            # restrict to exactly that set of arguments, and prohibit
-+            # any repo name that starts with '--' to prevent
-+            # shenanigans wherein a user does something like pass
-+            # --debugger or --config=ui.debugger=1 as a repo
-+            # name. This used to actually run the debugger.
-+            if (len(req.args) != 4 or
-+                req.args[0] != '-R' or
-+                req.args[1].startswith('--') or
-+                req.args[2] != 'serve' or
-+                req.args[3] != '--stdio'):
-+                raise error.Abort(
-+                    _('potentially unsafe serve --stdio invocation: %r') %
-+                    (req.args,))
-+
-         try:
-             debugger = 'pdb'
-             debugtrace = {
-diff --git a/tests/test-ssh.t b/tests/test-ssh.t
--- a/tests/test-ssh.t
-+++ b/tests/test-ssh.t
-@@ -357,6 +357,19 @@
-   abort: destination 'a repo' is not empty
-   [255]
- 
-+Make sure hg is really paranoid in serve --stdio mode. It used to be
-+possible to get a debugger REPL by specifying a repo named --debugger.
-+  $ hg -R --debugger serve --stdio
-+  abort: potentially unsafe serve --stdio invocation: ['-R', '--debugger', 'serve', '--stdio']
-+  [255]
-+  $ hg -R --config=ui.debugger=yes serve --stdio
-+  abort: potentially unsafe serve --stdio invocation: ['-R', '--config=ui.debugger=yes', 'serve', '--stdio']
-+  [255]
-+Abbreviations of 'serve' also don't work, to avoid shenanigans.
-+  $ hg -R narf serv --stdio
-+  abort: potentially unsafe serve --stdio invocation: ['-R', 'narf', 'serv', '--stdio']
-+  [255]
-+
- Test hg-ssh using a helper script that will restore PYTHONPATH (which might
- have been cleared by a hg.exe wrapper) and invoke hg-ssh with the right
- parameters:
diff --git a/meta-oe/recipes-devtools/mercurial/mercurial-native_4.0.1.bb b/meta-oe/recipes-devtools/mercurial/mercurial-native_4.4.bb
index a08acd9504..693d4e40dd 100644
--- a/meta-oe/recipes-devtools/mercurial/mercurial-native_4.0.1.bb
+++ b/meta-oe/recipes-devtools/mercurial/mercurial-native_4.4.bb
@@ -5,11 +5,9 @@ LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
 DEPENDS = "python-native"
-SRC_URI = "https://www.mercurial-scm.org/release/${BP}.tar.gz \
+SRC_URI = "https://www.mercurial-scm.org/release/${BP}.tar.gz"
-           file://mercurial-CVE-2017-9462.patch \
+SRC_URI[md5sum] = "c1d9fad1b7ed7077b0d4ae82e71154db"
-"
+SRC_URI[sha256sum] = "234af4a67565c85923b0a1910c704ab44bcf12f69b85532687208776563d87de"
-SRC_URI[md5sum] = "22a9b1d7c0c06a53f0ae5b386d536d08"
-SRC_URI[sha256sum] = "6aa4ade93c1b5e11937820880a466ebf1c824086d443cd799fc46e2617250d40"
 S = "${WORKDIR}/mercurial-${PV}"

diff --git a/meta-oe/recipes-devtools/mercurial/files/mercurial-CVE-2017-9462.patch b/meta-oe/recipes-devtools/mercurial/files/mercurial-CVE-2017-9462.patch deleted file mode 100644 index 3564661b4b..0000000000 --- a/meta-oe/recipes-devtools/mercurial/files/mercurial-CVE-2017-9462.patch +++ /dev/null
@@ -1,135 +0,0 @@
1	# HG changeset patch
2	# User Augie Fackler <augie@google.com>
3	# Date 1492021435 25200
4	# Wed Apr 12 11:23:55 2017 -0700
5	# Branch stable
6	# Node ID 77eaf9539499a1b8be259ffe7ada787d07857f80
7	# Parent 68f263f52d2e3e2798b4f1e55cb665c6b043f93b
8	dispatch: protect against malicious 'hg serve --stdio' invocations (sec)
9
10	Some shared-ssh installations assume that 'hg serve --stdio' is a safe
11	command to run for minimally trusted users. Unfortunately, the messy
12	implementation of argument parsing here meant that trying to access a
13	repo named '--debugger' would give the user a pdb prompt, thereby
14	sidestepping any hoped-for sandboxing. Serving repositories over HTTP(S)
15	is unaffected.
16
17	We're not currently hardening any subcommands other than 'serve'. If
18	your service exposes other commands to users with arbitrary repository
19	names, it is imperative that you defend against repository names of
20	'--debugger' and anything starting with '--config'.
21
22	The read-only mode of hg-ssh stopped working because it provided its hook
23	configuration to "hg serve --stdio" via --config parameter. This is banned for
24	security reasons now. This patch switches it to directly call ui.setconfig().
25	If your custom hosting infrastructure relies on passing --config to
26	"hg serve --stdio", you'll need to find a different way to get that configuration
27	into Mercurial, either by using ui.setconfig() as hg-ssh does in this patch,
28	or by placing an hgrc file someplace where Mercurial will read it.
29
30	mitrandir@fb.com provided some extra fixes for the dispatch code and
31	for hg-ssh in places that I overlooked.
32
33	CVE: CVE-2017-9462
34
35	Upstream-Status: Backport
36
37	diff --git a/contrib/hg-ssh b/contrib/hg-ssh
38	--- a/contrib/hg-ssh
39	+++ b/contrib/hg-ssh
40	@@ -32,7 +32,7 @@
41	# enable importing on demand to reduce startup time
42	from mercurial import demandimport; demandimport.enable()
43
44	-from mercurial import dispatch
45	+from mercurial import dispatch, ui as uimod
46
47	import sys, os, shlex
48
49	@@ -61,14 +61,15 @@
50	repo = os.path.normpath(os.path.join(cwd, os.path.expanduser(path)))
51	if repo in allowed_paths:
52	cmd = ['-R', repo, 'serve', '--stdio']
53	+ req = dispatch.request(cmd)
54	if readonly:
55	- cmd += [
56	- '--config',
57	- 'hooks.pretxnopen.hg-ssh=python:__main__.rejectpush',
58	- '--config',
59	- 'hooks.prepushkey.hg-ssh=python:__main__.rejectpush'
60	- ]
61	- dispatch.dispatch(dispatch.request(cmd))
62	+ if not req.ui:
63	+ req.ui = uimod.ui.load()
64	+ req.ui.setconfig('hooks', 'pretxnopen.hg-ssh',
65	+ 'python:__main__.rejectpush', 'hg-ssh')
66	+ req.ui.setconfig('hooks', 'prepushkey.hg-ssh',
67	+ 'python:__main__.rejectpush', 'hg-ssh')
68	+ dispatch.dispatch(req)
69	else:
70	sys.stderr.write('Illegal repository "%s"\n' % repo)
71	sys.exit(255)
72	diff --git a/mercurial/dispatch.py b/mercurial/dispatch.py
73	--- a/mercurial/dispatch.py
74	+++ b/mercurial/dispatch.py
75	@@ -155,6 +155,37 @@
76	pass # happens if called in a thread
77
78	def _runcatchfunc():
79	+ realcmd = None
80	+ try:
81	+ cmdargs = fancyopts.fancyopts(req.args[:], commands.globalopts, {})
82	+ cmd = cmdargs[0]
83	+ aliases, entry = cmdutil.findcmd(cmd, commands.table, False)
84	+ realcmd = aliases[0]
85	+ except (error.UnknownCommand, error.AmbiguousCommand,
86	+ IndexError, getopt.GetoptError):
87	+ # Don't handle this here. We know the command is
88	+ # invalid, but all we're worried about for now is that
89	+ # it's not a command that server operators expect to
90	+ # be safe to offer to users in a sandbox.
91	+ pass
92	+ if realcmd == 'serve' and '--stdio' in cmdargs:
93	+ # We want to constrain 'hg serve --stdio' instances pretty
94	+ # closely, as many shared-ssh access tools want to grant
95	+ # access to run only 'hg -R $repo serve --stdio'. We
96	+ # restrict to exactly that set of arguments, and prohibit
97	+ # any repo name that starts with '--' to prevent
98	+ # shenanigans wherein a user does something like pass
99	+ # --debugger or --config=ui.debugger=1 as a repo
100	+ # name. This used to actually run the debugger.
101	+ if (len(req.args) != 4 or
102	+ req.args[0] != '-R' or
103	+ req.args[1].startswith('--') or
104	+ req.args[2] != 'serve' or
105	+ req.args[3] != '--stdio'):
106	+ raise error.Abort(
107	+ _('potentially unsafe serve --stdio invocation: %r') %
108	+ (req.args,))
109	+
110	try:
111	debugger = 'pdb'
112	debugtrace = {
113	diff --git a/tests/test-ssh.t b/tests/test-ssh.t
114	--- a/tests/test-ssh.t
115	+++ b/tests/test-ssh.t
116	@@ -357,6 +357,19 @@
117	abort: destination 'a repo' is not empty
118	[255]
119
120	+Make sure hg is really paranoid in serve --stdio mode. It used to be
121	+possible to get a debugger REPL by specifying a repo named --debugger.
122	+ $ hg -R --debugger serve --stdio
123	+ abort: potentially unsafe serve --stdio invocation: ['-R', '--debugger', 'serve', '--stdio']
124	+ [255]
125	+ $ hg -R --config=ui.debugger=yes serve --stdio
126	+ abort: potentially unsafe serve --stdio invocation: ['-R', '--config=ui.debugger=yes', 'serve', '--stdio']
127	+ [255]
128	+Abbreviations of 'serve' also don't work, to avoid shenanigans.
129	+ $ hg -R narf serv --stdio
130	+ abort: potentially unsafe serve --stdio invocation: ['-R', 'narf', 'serv', '--stdio']
131	+ [255]
132	+
133	Test hg-ssh using a helper script that will restore PYTHONPATH (which might
134	have been cleared by a hg.exe wrapper) and invoke hg-ssh with the right
135	parameters:


diff --git a/meta-oe/recipes-devtools/mercurial/mercurial-native_4.0.1.bb b/meta-oe/recipes-devtools/mercurial/mercurial-native_4.4.bb index a08acd9504..693d4e40dd 100644 --- a/meta-oe/recipes-devtools/mercurial/mercurial-native_4.0.1.bb +++ b/meta-oe/recipes-devtools/mercurial/mercurial-native_4.4.bb
@@ -5,11 +5,9 @@ LICENSE = "GPLv2"
5	LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"	5	LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
6	DEPENDS = "python-native"	6	DEPENDS = "python-native"
7		7
8	SRC_URI = "https://www.mercurial-scm.org/release/${BP}.tar.gz \	8	SRC_URI = "https://www.mercurial-scm.org/release/${BP}.tar.gz"
9	file://mercurial-CVE-2017-9462.patch \	9	SRC_URI[md5sum] = "c1d9fad1b7ed7077b0d4ae82e71154db"
10	"	10	SRC_URI[sha256sum] = "234af4a67565c85923b0a1910c704ab44bcf12f69b85532687208776563d87de"
11	SRC_URI[md5sum] = "22a9b1d7c0c06a53f0ae5b386d536d08"
12	SRC_URI[sha256sum] = "6aa4ade93c1b5e11937820880a466ebf1c824086d443cd799fc46e2617250d40"
13		11
14	S = "${WORKDIR}/mercurial-${PV}"	12	S = "${WORKDIR}/mercurial-${PV}"
15		13