info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Mercurial 4.6.1 Security Release
12 views
Skip to first unread message
Gregory Szorc
Jun 7, 2018, 8:24:41 PM6/7/18
to dev-version-control, Firefox Dev
Mercurial 4.6.1 was released yesterday and contains fixes for security
issues that could potentially result in arbitrary code execution when
pulling from repositories containing well-crafted repository data. tl;dr
fuzzing the C code for applying Mercurial's binary deltas found a number of
memory safety errors that could potentially be exploited.
With the patches applied, Mercurial will abort if it sees malformed data
attempting to exploit these issues. `hg verify` can be used to ensure a
repository does not contain [known] malicious data.
Patches for these issues were responsibly disclosed to Mozilla under
embargo and hg.mozilla.org and reviewboard-hg.mozilla.org were patched last
week. All repositories were scanned and there were no signs of any
malicious data on those servers. This means that it should be safe for
unpatched clients to pull from hg.mozilla.org and reviewboard-hg.mozilla.org,
since these servers are "inoculated" against the issues. However, it is
still a good idea to upgrade clients so you are safe when pulling from any
server.
I believe all extensions installed by `mach mercurial-setup` are compatible
with Mercurial 4.6. So upgrading should not pose any major risks to
day-to-day workflows. If you do find problems, please report issues in
Bugzilla in the Developer Services product. If you want to use Mercurial
4.5, a patched version of 4.5.3 can be found at
https://s3-us-west-2.amazonaws.com/moz-packages/mercurial-4.5.3%2B9-1ed250f701ee.tar.gz.
You can `pip install <URL>` to install it. Its SHA-256 hash can be found at
https://hg.mozilla.org/hgcustom/version-control-tools/file/aeb07da19cd3/ansible/roles/hg-ssh-server/files/requirements-pash.txt#l11
.
Please chain any bugs related to this security release up to bug 1457939.
I'd like to thank Connor Sheehan for all his help upgrading our Mercurial
infrastructure to better prepare us for this security release.
issues that could potentially result in arbitrary code execution when
pulling from repositories containing well-crafted repository data. tl;dr
fuzzing the C code for applying Mercurial's binary deltas found a number of
memory safety errors that could potentially be exploited.
With the patches applied, Mercurial will abort if it sees malformed data
attempting to exploit these issues. `hg verify` can be used to ensure a
repository does not contain [known] malicious data.
Patches for these issues were responsibly disclosed to Mozilla under
embargo and hg.mozilla.org and reviewboard-hg.mozilla.org were patched last
week. All repositories were scanned and there were no signs of any
malicious data on those servers. This means that it should be safe for
unpatched clients to pull from hg.mozilla.org and reviewboard-hg.mozilla.org,
since these servers are "inoculated" against the issues. However, it is
still a good idea to upgrade clients so you are safe when pulling from any
server.
I believe all extensions installed by `mach mercurial-setup` are compatible
with Mercurial 4.6. So upgrading should not pose any major risks to
day-to-day workflows. If you do find problems, please report issues in
Bugzilla in the Developer Services product. If you want to use Mercurial
4.5, a patched version of 4.5.3 can be found at
https://s3-us-west-2.amazonaws.com/moz-packages/mercurial-4.5.3%2B9-1ed250f701ee.tar.gz.
You can `pip install <URL>` to install it. Its SHA-256 hash can be found at
https://hg.mozilla.org/hgcustom/version-control-tools/file/aeb07da19cd3/ansible/roles/hg-ssh-server/files/requirements-pash.txt#l11
.
Please chain any bugs related to this security release up to bug 1457939.
I'd like to thank Connor Sheehan for all his help upgrading our Mercurial
infrastructure to better prepare us for this security release.
0 new messages