Bug 978391 - (CVE-2016-3105) VUL-0: CVE-2016-3105: Mercurial: prior to 3.8 allowed arbitrary code execution when using theconvert extension on Git repo...
(CVE-2016-3105)
VUL-0: CVE-2016-3105: Mercurial: prior to 3.8 allowed arbitrary code executio...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/168581/
CVSSv2:RedHat:CVE-2015-7545:6.8:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-05-04 08:02 UTC by Sebastian Krahmer
Modified: 2016-05-30 17:08 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Takashi Iwai 2016-05-09 14:43:36 UTC
The upstream fix in branch stable: a56296f55a5e
  convert: pass absolute paths to git (SEC)
Comment 2 Bernhard Wiedemann 2016-05-09 17:00:11 UTC
This is an autogenerated message for OBS integration:
This bug (978391) was mentioned in
https://build.opensuse.org/request/show/394494 42.1 / mercurial
https://build.opensuse.org/request/show/394495 13.2 / mercurial
Comment 4 Takashi Iwai 2016-05-10 12:59:50 UTC
Submitted to all relevant branches.  Reassigning back to security team now.
Comment 5 Swamp Workflow Management 2016-05-18 13:08:20 UTC
openSUSE-SU-2016:1336-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 978391
CVE References: CVE-2016-3105
Sources used:
openSUSE Leap 42.1 (src):    mercurial-3.5.1-6.1
openSUSE 13.2 (src):    mercurial-3.1.2-10.1
Comment 6 Marcus Meissner 2016-05-30 07:47:15 UTC
https://selenic.com/hg/rev/a56296f55a5e

QA REPRODUCER Inside:

git init 'ext::sh -c echo% pwned% >GIT-EXT-COMMAND-INJECTION% #'
cd 'ext::sh -c echo% pwned% >GIT-EXT-COMMAND-INJECTION% #'
git commit -q --allow-empty -m 'empty'
cd ..
hg convert 'ext::sh -c echo% pwned% >GIT-EXT-COMMAND-INJECTION% #' 'converted-git-ext'
test -f GIT-EXT-COMMAND-INJECTION
Comment 7 Sebastian Krahmer 2016-05-30 13:32:14 UTC
released
Comment 8 Swamp Workflow Management 2016-05-30 17:08:03 UTC
SUSE-SU-2016:1442-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 978391
CVE References: CVE-2016-3105
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    mercurial-2.8.2-9.1
SUSE Linux Enterprise Software Development Kit 12 (src):    mercurial-2.8.2-9.1
Comment 9 Swamp Workflow Management 2016-05-30 17:08:18 UTC
SUSE-SU-2016:1443-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 978391
CVE References: CVE-2016-3105
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    mercurial-2.3.2-0.14.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    mercurial-2.3.2-0.14.2