Bugzilla – Bug 1085211
VUL-0: CVE-2018-1000132: mercurial: HTTP server permissions bypass
Last modified: 2019-07-22 14:45:06 UTC
rh#1553265 Quote from release notes: All versions of Mercurial prior to 4.5.2 have vulnerabilities in the HTTP server that allow permissions bypass to: Perform writes on repositories that should be read-only Perform reads on repositories that shouldn't allow read access The nature of the vulnerabilities is: Wire protocol commands that didn't explicitly declare their permissions had no permissions checking done. The web.{allow-pull, allow-push, deny_read, etc} config options governing access control were never consulted when running these commands. This allowed permissions bypass for impacted commands. The batch wire protocol command did not list its permission requirements nor did it enforce permissions on individual sub-commands. The implication of these vulnerabilities is that no permissions checking was performed on commands and this could lead to accessing data that web.* config options were supposed to prevent access to or modifying data (via wire protocol commands that can mutate data) without authorization. A Mercurial HTTP server in its default configuration is supposed to be read-only. However, a well-crafted batch command could invoke commands that perform writes. Upstream patch: https://www.mercurial-scm.org/repo/hg/rev/2ecb0fc535b1 References: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.5.1_.2F_4.5.2_.282018-03-06.29 References: https://bugzilla.redhat.com/show_bug.cgi?id=1553265 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000132
This is an autogenerated message for OBS integration: This bug (1085211) was mentioned in https://build.opensuse.org/request/show/587447 Factory / mercurial
This is an autogenerated message for OBS integration: This bug (1085211) was mentioned in https://build.opensuse.org/request/show/592337 42.3 / mercurial
(In reply to Swamp Workflow Management from comment #3) > This is an autogenerated message for OBS integration: > This bug (1085211) was mentioned in > https://build.opensuse.org/request/show/592337 42.3 / mercurial Regression reported by community tester in bug 1087615, also seen myself
(In reply to Andreas Stieger from comment #4) > (In reply to Swamp Workflow Management from comment #3) > > This is an autogenerated message for OBS integration: > > This bug (1085211) was mentioned in > > https://build.opensuse.org/request/show/592337 42.3 / mercurial > > Regression reported by community tester in bug 1087615, also seen myself The revised fix was submitted via SR#593555.
This is an autogenerated message for OBS integration: This bug (1085211) was mentioned in https://build.opensuse.org/request/show/593555 42.3 / mercurial
The fix was submitted for SLE12:Update, SR#161223.
openSUSE-SU-2018:0917-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1085211 CVE References: CVE-2018-1000132 Sources used: openSUSE Leap 42.3 (src): mercurial-4.2.3-12.1
SUSE-SU-2018:0933-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1085211 CVE References: CVE-2018-1000132 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP3 (src): mercurial-2.8.2-15.10.1
As the backport is difficult for the old code base, I leave SLE11 and older untouched. The package is in SDK, so it's not really supported for SLE11 any longer, AFAIK. Back to security team.
SLE11-SP3 -> WONTFIX Closing bug for SLE-12 as fixed.