Bug 978391 (CVE-2016-3105)

Summary:	VUL-0: CVE-2016-3105: Mercurial: prior to 3.8 allowed arbitrary code execution when using theconvert extension on Git repo...
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Sebastian Krahmer <krahmer>
Component:	Incidents	Assignee:	Security Team bot <security-team>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	security-team, smash_bz, tiwai
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/168581/
Whiteboard:	CVSSv2:RedHat:CVE-2015-7545:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:RedHat:CVE-2016-3105:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:SUSE:CVE-2016-3105:6.0:(AV:N/AC:M/Au:S/C:P/I:P/A:P) CVSSv2:NVD:CVE-2016-3105:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Sebastian Krahmer 2016-05-04 08:02:45 UTC

CVE-2016-3105



References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3105
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3105.html

Comment 1 Takashi Iwai 2016-05-09 14:43:36 UTC

The upstream fix in branch stable: a56296f55a5e
  convert: pass absolute paths to git (SEC)

Comment 2 Bernhard Wiedemann 2016-05-09 17:00:11 UTC

This is an autogenerated message for OBS integration:
This bug (978391) was mentioned in
https://build.opensuse.org/request/show/394494 42.1 / mercurial
https://build.opensuse.org/request/show/394495 13.2 / mercurial

Comment 4 Takashi Iwai 2016-05-10 12:59:50 UTC

Submitted to all relevant branches.  Reassigning back to security team now.

Comment 5 Swamp Workflow Management 2016-05-18 13:08:20 UTC

openSUSE-SU-2016:1336-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 978391
CVE References: CVE-2016-3105
Sources used:
openSUSE Leap 42.1 (src):    mercurial-3.5.1-6.1
openSUSE 13.2 (src):    mercurial-3.1.2-10.1

Comment 6 Marcus Meissner 2016-05-30 07:47:15 UTC

https://selenic.com/hg/rev/a56296f55a5e

QA REPRODUCER Inside:

git init 'ext::sh -c echo% pwned% >GIT-EXT-COMMAND-INJECTION% #'
cd 'ext::sh -c echo% pwned% >GIT-EXT-COMMAND-INJECTION% #'
git commit -q --allow-empty -m 'empty'
cd ..
hg convert 'ext::sh -c echo% pwned% >GIT-EXT-COMMAND-INJECTION% #' 'converted-git-ext'
test -f GIT-EXT-COMMAND-INJECTION

Comment 7 Sebastian Krahmer 2016-05-30 13:32:14 UTC

released

Comment 8 Swamp Workflow Management 2016-05-30 17:08:03 UTC

SUSE-SU-2016:1442-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 978391
CVE References: CVE-2016-3105
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    mercurial-2.8.2-9.1
SUSE Linux Enterprise Software Development Kit 12 (src):    mercurial-2.8.2-9.1

Comment 9 Swamp Workflow Management 2016-05-30 17:08:18 UTC

SUSE-SU-2016:1443-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 978391
CVE References: CVE-2016-3105
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    mercurial-2.3.2-0.14.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    mercurial-2.3.2-0.14.2