Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP3:GA
mercurial.7061
hg-CVE-2016-3105.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File hg-CVE-2016-3105.patch of Package mercurial.7061
# HG changeset patch # User Blake Burkhart <bburky@bburky.com> # Date 1460001466 18000 # Wed Apr 06 22:57:46 2016 -0500 # Branch stable # Node ID a56296f55a5e1038ea5016dace2076b693c28a56 # Parent 27ad6cae7785b59f918f5e3ed33a2f1e88a60d4f convert: pass absolute paths to git (SEC) Fixes CVE-2016-3105 (1/1). Previously, it was possible for the repository path passed to git-ls-remote to be misinterpreted as a URL. Always passing an absolute path to git is a simple way to avoid this. --- hgext/convert/git.py | 4 ++++ tests/test-convert-git.t | 20 +++++++++++++++++++- tests/test-convert.t | 2 +- 3 files changed, 24 insertions(+), 2 deletions(-) --- a/hgext/convert/git.py +++ b/hgext/convert/git.py @@ -50,6 +50,10 @@ class convert_git(converter_source, comm super(convert_git, self).__init__(ui, path, rev=rev) commandline.__init__(self, ui, 'git') + # Pass an absolute path to git to prevent from ever being interpreted + # as a URL + path = os.path.abspath(path) + if os.path.isdir(path + "/.git"): path += "/.git" if not os.path.exists(path + "/objects"): --- a/tests/test-convert-git.t +++ b/tests/test-convert-git.t @@ -421,7 +421,7 @@ damage git repository by renaming a comm $ COMMIT_OBJ=1c/0ce3c5886f83a1d78a7b517cdff5cf9ca17bdd $ mv git-repo4/.git/objects/$COMMIT_OBJ git-repo4/.git/objects/$COMMIT_OBJ.tmp $ hg convert git-repo4 git-repo4-broken-hg 2>&1 | grep 'abort:' - abort: cannot retrieve number of commits in git-repo4/.git + abort: cannot retrieve number of commits in $TESTTMP/git-repo4/.git $ mv git-repo4/.git/objects/$COMMIT_OBJ.tmp git-repo4/.git/objects/$COMMIT_OBJ damage git repository by renaming a blob object @@ -453,3 +453,21 @@ test for escaping the repo name (CVE-201 updating bookmarks $ test -f COMMAND-INJECTION [1] + +test for safely passing paths to git (CVE-2016-3105) + + $ git init 'ext::sh -c echo% pwned% >GIT-EXT-COMMAND-INJECTION% #' + Initialized empty Git repository in $TESTTMP/ext::sh -c echo% pwned% >GIT-EXT-COMMAND-INJECTION% #/.git/ + $ cd 'ext::sh -c echo% pwned% >GIT-EXT-COMMAND-INJECTION% #' + $ git commit -q --allow-empty -m 'empty' + $ cd .. + $ hg convert 'ext::sh -c echo% pwned% >GIT-EXT-COMMAND-INJECTION% #' 'converted-git-ext' + initializing destination converted-git-ext repository + scanning source... + sorting... + converting... + 0 empty + updating bookmarks + $ test -f GIT-EXT-COMMAND-INJECTION + [1] + --- a/tests/test-convert.t +++ b/tests/test-convert.t @@ -358,7 +358,7 @@ running from a devel copy, not a temp in assuming destination emptydir-hg initializing destination emptydir-hg repository emptydir does not look like a CVS checkout - emptydir does not look like a Git repository + $TESTTMP/emptydir does not look like a Git repository emptydir does not look like a Subversion repository emptydir is not a local Mercurial repository emptydir does not look like a darcs repository
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor