SCM-Manager and Log4Shell

[Rene Pfeuffer]

Hi Community,

you can find out statement regarding the Log4Shell vulnerability in log4j here.

tl;dr: SCM-Manager should be safe.

Regards
René

[Rene Pfeuffer]

Today, the Logback team released a new version in response to a new vulnerability. Although this does not sound nearly as dangerous as the Log4Shell issue, we released SCM-Manager 2.27.3 with the fixed version and we would recommend to update your installations.

[Frank Lauter]

Any problems with the update...
AFAIK it is working. But with one repo I'm unable to push. (SCM Unknown error)

Frank

--
You received this message because you are subscribed to the Google Groups "scmmanager" group.
To unsubscribe from this group and stop receiving emails from it, send an email to scmmanager+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/scmmanager/7dd35544-7e29-4591-a564-c6b1a9e12732n%40googlegroups.com.

[Rene Pfeuffer]

Hi Frank,

this is a bit vague. Can you give us a stacktrace from the logs? Was the repository working flawlessly before? Was it an update from 2.27.2 to 2.27.3 or were you running another version? So many questions :-)

Thanks

René

[Frank Lauter]

emm.. I have no clue, but I have nothing in the logfile. If've followed every tutorial to enable logging...

But.
if I switch from default to my branch over the SCM-Manager webinterface I get an (Translated)
Error: Internal Server error
In the Server an internal Error happened. Please contact the Administrator for more hints.
Context
Error Code:  CmR8GCJb31
Transaktion-ID :  DPSrxjKeC53

To view this discussion on the web visit https://groups.google.com/d/msgid/scmmanager/e211a9bf-3b85-48e6-ab45-aeafb0c47949n%40googlegroups.com.

[Frank Lauter]

PS:

TortoiseHG Console output: 
Gegenseite: adding changesets
Gegenseite: adding manifests
Gegenseite: adding file changes
Gegenseite: added 4 changesets with 25 changes to 25 files
Gegenseite: [SCM] Error: unknown error
Gegenseite: transaction abort!
Gegenseite: rollback completed
Gegenseite: pretxnchangegroup.scm hook failed
abgebrochen: push failed on remote
AFAIK I have no hooks installed.

[Rene Pfeuffer]

Can you please install the Support Plugin? With this one, you can easily start a trace log. If tracing is enabled, please reproduce the error, stop the trace and take a look at the logs once more. You should get a hit when you search for the transaction ID from the error message that is shown at that time. There, you should find a stack trace.

[Frank Lauter]

I could find: 

WARN  sonia.scm.api.FallbackExceptionMapper - mapping unexpected com.aragost.javahg.internals.RuntimeIOException to status code 500
com.aragost.javahg.internals.RuntimeIOException: Input length = 1

But this is "just" the error for the Webinterface. The Error in the log for the Hg Push I found:

15:01:49.833 [HgHookWorker-1] ERROR sonia.scm.repository.spi.HgHookChangesetProvider - could not retrieve changesets
com.aragost.javahg.internals.RuntimeIOException: Input length = 1
at com.aragost.javahg.internals.Utils.asRuntime(Utils.java:437)
at com.aragost.javahg.internals.Utils.decodeBytes(Utils.java:243)
at com.aragost.javahg.internals.Utils.decodeBytes(Utils.java:223)
at com.aragost.javahg.internals.HgInputStream.textUpTo(HgInputStream.java:430)
at sonia.scm.repository.spi.javahg.AbstractChangesetCommand.createFromInputStream(AbstractChangesetCommand.java:240)
at sonia.scm.repository.spi.javahg.AbstractChangesetCommand.readListFromStream(AbstractChangesetCommand.java:164)
at sonia.scm.repository.spi.javahg.HgLogChangesetCommand.execute(HgLogChangesetCommand.java:65)
at sonia.scm.repository.spi.HgHookChangesetProvider.handleRequest(HgHookChangesetProvider.java:70)
at sonia.scm.repository.api.HgHookBranchProvider.changesets(HgHookBranchProvider.java:115)
at sonia.scm.repository.api.HgHookBranchProvider.collect(HgHookBranchProvider.java:125)
at sonia.scm.repository.api.HgHookBranchProvider.getDeletedOrClosed(HgHookBranchProvider.java:89)
at sonia.scm.repository.DefaultBranchDeleteProtection.protectDefaultBranch(DefaultBranchDeleteProtection.java:57)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at com.github.legman.InvocationContext.invoke(InvocationContext.java:108)
at com.github.legman.InvocationContext.proceed(InvocationContext.java:101)
at com.github.legman.micrometer.MicrometerInvocationInterceptor.invoke(MicrometerInvocationInterceptor.java:47)
at com.github.legman.InvocationContext.proceed(InvocationContext.java:99)
at com.github.legman.EventHandler.handleEvent(EventHandler.java:103)
at com.github.legman.SynchronizedEventHandler.handleEvent(SynchronizedEventHandler.java:52)
at com.github.legman.EventBus.dispatchSynchronous(EventBus.java:452)
at com.github.legman.EventBus.dispatch(EventBus.java:446)
at com.github.legman.EventBus.dispatchSynchronousQueuedEvents(EventBus.java:421)
at com.github.legman.EventBus.post(EventBus.java:333)
at sonia.scm.event.LegmanScmEventBus.post(LegmanScmEventBus.java:92)
at sonia.scm.repository.AbstractRepositoryManager.fireHookEvent(AbstractRepositoryManager.java:57)
at sonia.scm.repository.spi.HookEventFacade$HookEventHandler.fireHookEvent(HookEventFacade.java:137)
at sonia.scm.repository.hooks.DefaultHookHandler.fireHook(DefaultHookHandler.java:119)
at sonia.scm.repository.hooks.DefaultHookHandler.handleHookRequest(DefaultHookHandler.java:105)
at sonia.scm.repository.hooks.DefaultHookHandler.handleHookRequest(DefaultHookHandler.java:90)
at sonia.scm.repository.hooks.DefaultHookHandler.run(DefaultHookHandler.java:77)
at sonia.scm.repository.hooks.HookServer.lambda$associateSecurityManager$1(HookServer.java:103)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: java.nio.charset.MalformedInputException: Input length = 1
at java.base/java.nio.charset.CoderResult.throwException(CoderResult.java:274)
at java.base/java.nio.charset.CharsetDecoder.decode(CharsetDecoder.java:813)
at com.aragost.javahg.internals.Utils.decodeBytes(Utils.java:241)
... 37 common frames omitted
15:01:49.846 [HgHookWorker-1] INFO  com.aragost.javahg.internals.Server - Command server stopped: /var/lib/scm/repositories/3NSoY2vemIF/data
15:01:49.846 [HgHookWorker-1] WARN  sonia.scm.repository.hooks.DefaultHookHandler - unknown error on hook occurred

--

You received this message because you are subscribed to the Google Groups "scmmanager" group.
To unsubscribe from this group and stop receiving emails from it, send an email to scmmanager+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/scmmanager/5b4757a7-ba30-4f3a-ac8e-f6e31487c94dn%40googlegroups.com.

[Rene Pfeuffer]

Does this repository have a `default` branch? SCM-Manager does not really support hg repositories without a `default`.

[Frank Lauter]

Yes, it has.
That I really terrible, first it was only a repository now happens at 5 / 30.

To view this discussion on the web visit https://groups.google.com/d/msgid/scmmanager/a56d092c-b758-47cd-9dde-5b986a7eb0f5n%40googlegroups.com.

[Frank Lauter]

Hello Rene!

After many hours of troubleshooting, I found the problem.

As 2.25.0  SCM-Manager does not allow filenames with german characters like "ü"!
Version 2.24.0 is the latest version that supports german chars in filenames!

I have confirmed that this is related to the SCM-Server not to mercurial.

I assume the problem is with the change of #1825 as this change is related to the error message (pretxnchangegroup.scm hook failed). 

Happy new year.
Frank

PS: Every german developer owes my friend Craig and me a beer!

To view this discussion on the web visit https://groups.google.com/d/msgid/scmmanager/a56d092c-b758-47cd-9dde-5b986a7eb0f5n%40googlegroups.com.

[Rene Pfeuffer]

Hi Frank,

sorry for the late response. I don't get why you think #1825 could have to do anything with this. Here only an import in the frontend is fixed. This has no effect on the backend whatsoever.

We cannot reproduce errors with umlauts. Also, we cannot think of anything we changed that might effect encodings. For mercurial repositories it is crucial, to configure the correct encoding. If you commit using windows for example, you may have to set the encoding either globally (Administration - Settings - Mercurial) or for the repositories (in the general settings for the repo) to "CP1252" for example. Could you check this one?

Regards

René

[Frank Lauter]

I don't know where I should change an encoding, but one fact is 100% clear:
With Version 2.24.0 the filenames with german chars like öäü ß works fine, with
Version 2.25.0 it is broken...

Frank

To view this discussion on the web visit https://groups.google.com/d/msgid/scmmanager/dbf07173-7fd5-43e8-8d0b-80bd090ca825n%40googlegroups.com.

[Rene Pfeuffer]

Have you tested the new releases with the exact same scm home folder? As mentioned in the last answer, the encoding can be configured globally in 'Administration - Settings - Mercurial' or for a repository in the repo settings. If you work with Windows clients, you have to set this to 'CP1252'.

If this does not help, can you send us a test repository repository with correct encoding that cannot be pushed to SCM-Manager?

René