Security releases for Git, Mercurial, and Subversion

Gregory Szorc gps at mozilla.com
Fri Aug 11 17:28:08 UTC 2017


On Thu, Aug 10, 2017 at 12:10 PM, Gregory Szorc <gps at mozilla.com> wrote:

> Git, Mercurial, and Subversion just had a coordinated release to mitigate
> a security vulnerability regarding the parsing of ssh:// URLs. Essentially,
> well-crafted ssh:// URLs (e.g. in a subrepo, submodule, or svn:externals
> references) could lead to local code execution. If you run a command like
> `git clone --recurse-submodules` or `hg pull --update` and nefarious data
> is received, you could be p0wned.
>
> This is tracked in at least CVE-2017-1000116 and CVE-2017-1000117.
>
> In addition, Mercurial issued a security fix for symlink handling that
> could result in arbitrary filesystem write (attempts) for well-crafted
> symlinks. This is CVE-2017-1000115.
>
> You should upgrade your version control clients ASAP to eliminate exposure
> to these bugs. Until you do, be extra cognizant where you pull from -
> especially any operation related to subrepos/submodules.
>
> As of today, hg.mozilla.org is now configured to not allow subrepos and
> symlinks on non-user repos. The main Firefox repos have been audited and no
> "bad" data is present. So, the canonical Firefox repos cannot be used as a
> delivery vehicle for these exploits. I anticipate popular hosting services
> like GitHub and Bitbucket will take similar actions and make similar
> announcements.
>
> Critical version control infrastructure like hg.mozilla.org and Autoland
> has been patched for several days courtesy of responsible early disclosure
> of the vulnerabilities and fixes from the Mercurial Project.
>
> Announcements:
>
> hg: https://www.mercurial-scm.org/pipermail/mercurial/2017-
> August/050522.html
> git: http://marc.info/?l=git&m=150238802328673&w=2
> svn: http://mail-archives.apache.org/mod_mbox/subversion-
> announce/201708.mbox/%3C2fefe468-7d41-11e7-aea1-
> 9312c6089150%40apache.org%3E
>
>
Following up...

The Mozilla tracking bugs for these security releases are:

Mercurial: 1385978
Git: 1386035
Subversion: 1386038

(Note: only the Mercurial one is currently public)

There were some failures in Mercurial's release process yesterday.

Mercurial 4.3.1 was released shortly after 4.3 because 4.3 didn't include
the security fixes. If you upgraded to 4.3 yesterday, please run `hg
version` and make sure you are on 4.3.1 and upgrade if not.

Also, PyPI isn't hosting a tar.gz for Mercurial 4.2.3 because of a mix-up
involving uploading of that file and PyPI's inability to replace a file
once uploaded. If you need to `pip install Mercurial` from source (any
platform not Windows - which should pick up the binary Python wheel
packages from PyPI), you can add a `--find-links
https://www.mercurial-scm.org/release/` to `pip install` or a pip
requirements file and it will find the tar.gz from Mercurial's official
hosting location. The SHA-256 for pip requirements pinning (which you
should almost always use) is
04908fc7d89e5810edf3d2762f5aecce5b5c0cb8534f3dbff7d0d848d11ff7ac. (GPG
signature available at aforementioned URL if you want to verify.)

There's also one known regression in 4.3.1 that impacts old Python 2.7
releases. If you get an error mentioning "branchmap.py" and "bytearray",
this will be fixed in 4.3.2. It isn't clear if 4.3.2 will be released
before the next scheduled minor release on September 1.

If you've been impacted by the Try/pushlog outages recently, it is fallout
from this. We had to shotgun upgrade all important infrastructure to
Mercurial 4.2 last week to prepare for this release. My perception is the
upgrade problems aren't worthy of running a custom Mercurial 4.1 build
(which would be a hassle). So we've been working through the problems as
they arise (with the assumption that issues are infrequent, easily
correctable, and will be addressed soon). Hopefully the recent high
stability of hg.mozilla.org relative to where it was 5 years ago has built
up enough karma that a few days of instability is tolerable. But I do
apologize if this has caused any inconvenience: I hate being blocked on
getting things done as much as you do. I hope to have upgrade fallout bugs
sorted out by next week. Bug 1359641 tracks everything related to the 4.2
upgrade.

Finally, little has landed to prepare things like version-control-tools
extensions for Mercurial 4.3. That is normally something I do the week or
two before a major release. But the security fire drill preempted that
work. If you find random bugs with our custom extensions with 4.3, that's
probably why. If you want to help, ping me (gps) in #vcs on IRC. It would
be particularly useful to find a champion to keep the `mach bootstrap`
Mercurial functionality up to date. Anyway, track 4.3 things against bug
1389562.

Sorry for the wall of text and the disruptions. It has been a very chaotic
~2 weeks to prepare and handle this security event.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/firefox-dev/attachments/20170811/107f9d62/attachment-0001.html>


More information about the firefox-dev mailing list