Bug 1085211 (CVE-2018-1000132)

Summary: VUL-0: CVE-2018-1000132: mercurial: HTTP server permissions bypass
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: abergmann, antoine.mechelynck, astieger, develop7, smash_bz, wolfgang
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/201788/
Whiteboard: CVSSv3:RedHat:CVE-2018-1000132:6.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) CVSSv3:SUSE:CVE-2018-1000132:6.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) CVSSv2:NVD:CVE-2018-1000132:6.4:(AV:N/AC:L/Au:N/C:P/I:P/A:N) CVSSv3:NVD:CVE-2018-1000132:9.1:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 1087615    
Bug Blocks:    

Description Marcus Meissner 2018-03-14 06:56:52 UTC 
rh#1553265

Quote from release notes:

All versions of Mercurial prior to 4.5.2 have vulnerabilities in the HTTP server that allow permissions bypass to:

    Perform writes on repositories that should be read-only
    Perform reads on repositories that shouldn't allow read access 

The nature of the vulnerabilities is:

    Wire protocol commands that didn't explicitly declare their permissions had no permissions checking done. The web.{allow-pull, allow-push, deny_read, etc} config options governing access control were never consulted when running these commands. This allowed permissions bypass for impacted commands.

    The batch wire protocol command did not list its permission requirements nor did it enforce permissions on individual sub-commands. 

The implication of these vulnerabilities is that no permissions checking was performed on commands and this could lead to accessing data that web.* config options were supposed to prevent access to or modifying data (via wire protocol commands that can mutate data) without authorization. A Mercurial HTTP server in its default configuration is supposed to be read-only. However, a well-crafted batch command could invoke commands that perform writes.

Upstream patch:

https://www.mercurial-scm.org/repo/hg/rev/2ecb0fc535b1

References:

https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.5.1_.2F_4.5.2_.282018-03-06.29

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1553265
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000132
Comment 1 Swamp Workflow Management 2018-03-15 10:00:12 UTC 
This is an autogenerated message for OBS integration:
This bug (1085211) was mentioned in
https://build.opensuse.org/request/show/587447 Factory / mercurial
Comment 3 Swamp Workflow Management 2018-03-29 15:00:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1085211) was mentioned in
https://build.opensuse.org/request/show/592337 42.3 / mercurial
Comment 4 Andreas Stieger 2018-03-30 11:57:06 UTC 
(In reply to Swamp Workflow Management from comment #3)
> This is an autogenerated message for OBS integration:
> This bug (1085211) was mentioned in
> https://build.opensuse.org/request/show/592337 42.3 / mercurial

Regression reported by community tester in bug 1087615, also seen myself
Comment 5 Takashi Iwai 2018-04-04 13:49:15 UTC 
(In reply to Andreas Stieger from comment #4)
> (In reply to Swamp Workflow Management from comment #3)
> > This is an autogenerated message for OBS integration:
> > This bug (1085211) was mentioned in
> > https://build.opensuse.org/request/show/592337 42.3 / mercurial
> 
> Regression reported by community tester in bug 1087615, also seen myself

The revised fix was submitted via SR#593555.
Comment 6 Swamp Workflow Management 2018-04-04 14:20:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1085211) was mentioned in
https://build.opensuse.org/request/show/593555 42.3 / mercurial
Comment 7 Takashi Iwai 2018-04-06 15:22:57 UTC 
The fix was submitted for SLE12:Update, SR#161223.
Comment 9 Swamp Workflow Management 2018-04-10 22:09:26 UTC 
openSUSE-SU-2018:0917-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1085211
CVE References: CVE-2018-1000132
Sources used:
openSUSE Leap 42.3 (src):    mercurial-4.2.3-12.1
Comment 10 Swamp Workflow Management 2018-04-12 19:07:50 UTC 
SUSE-SU-2018:0933-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1085211
CVE References: CVE-2018-1000132
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    mercurial-2.8.2-15.10.1
Comment 11 Takashi Iwai 2018-06-07 14:57:37 UTC 
As the backport is difficult for the old code base, I leave SLE11 and older untouched.  The package is in SDK, so it's not really supported for SLE11 any longer, AFAIK.

Back to security team.
Comment 17 Alexander Bergmann 2019-07-22 12:52:47 UTC 
SLE11-SP3 -> WONTFIX

Closing bug for SLE-12 as fixed.