Bug 978391 (CVE-2016-3105)

Summary: VUL-0: CVE-2016-3105: Mercurial: prior to 3.8 allowed arbitrary code execution when using theconvert extension on Git repo...
Product: [Novell Products] SUSE Security Incidents Reporter: Sebastian Krahmer <krahmer>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team, smash_bz, tiwai
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/168581/
Whiteboard: CVSSv2:RedHat:CVE-2015-7545:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:RedHat:CVE-2016-3105:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:SUSE:CVE-2016-3105:6.0:(AV:N/AC:M/Au:S/C:P/I:P/A:P) CVSSv2:NVD:CVE-2016-3105:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 1 Takashi Iwai 2016-05-09 14:43:36 UTC
The upstream fix in branch stable: a56296f55a5e
  convert: pass absolute paths to git (SEC)
Comment 2 Bernhard Wiedemann 2016-05-09 17:00:11 UTC
This is an autogenerated message for OBS integration:
This bug (978391) was mentioned in
https://build.opensuse.org/request/show/394494 42.1 / mercurial
https://build.opensuse.org/request/show/394495 13.2 / mercurial
Comment 4 Takashi Iwai 2016-05-10 12:59:50 UTC
Submitted to all relevant branches.  Reassigning back to security team now.
Comment 5 Swamp Workflow Management 2016-05-18 13:08:20 UTC
openSUSE-SU-2016:1336-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 978391
CVE References: CVE-2016-3105
Sources used:
openSUSE Leap 42.1 (src):    mercurial-3.5.1-6.1
openSUSE 13.2 (src):    mercurial-3.1.2-10.1
Comment 6 Marcus Meissner 2016-05-30 07:47:15 UTC
https://selenic.com/hg/rev/a56296f55a5e

QA REPRODUCER Inside:

git init 'ext::sh -c echo% pwned% >GIT-EXT-COMMAND-INJECTION% #'
cd 'ext::sh -c echo% pwned% >GIT-EXT-COMMAND-INJECTION% #'
git commit -q --allow-empty -m 'empty'
cd ..
hg convert 'ext::sh -c echo% pwned% >GIT-EXT-COMMAND-INJECTION% #' 'converted-git-ext'
test -f GIT-EXT-COMMAND-INJECTION
Comment 7 Sebastian Krahmer 2016-05-30 13:32:14 UTC
released
Comment 8 Swamp Workflow Management 2016-05-30 17:08:03 UTC
SUSE-SU-2016:1442-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 978391
CVE References: CVE-2016-3105
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    mercurial-2.8.2-9.1
SUSE Linux Enterprise Software Development Kit 12 (src):    mercurial-2.8.2-9.1
Comment 9 Swamp Workflow Management 2016-05-30 17:08:18 UTC
SUSE-SU-2016:1443-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 978391
CVE References: CVE-2016-3105
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    mercurial-2.3.2-0.14.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    mercurial-2.3.2-0.14.2