Debian DLA-237-1 : mercurial security update

2015-06-0500:00:00

www.tenable.com

CVE-2014-9462

Jesse Hertz of Matasano Security discovered that Mercurial, a distributed version control system, is prone to a command injection vulnerability via a crafted repository name in a clone command.

CVE-2014-9390

is a security vulnerability that affects mercurial repositories in a case-insensitive filesystem (eg. VFAT or HFS+). It allows for remote code execution of a specially crafted repository. This is less severe for the average Debian installation as they are usually set up with case-sensitive filesystems.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory DLA-237-1. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(83995);
  script_version("2.9");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/11");

  script_cve_id("CVE-2014-9390", "CVE-2014-9462");
  script_bugtraq_id(71732, 73688);

  script_name(english:"Debian DLA-237-1 : mercurial security update");
  script_summary(english:"Checks dpkg output for the updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"CVE-2014-9462

Jesse Hertz of Matasano Security discovered that Mercurial, a
distributed version control system, is prone to a command injection
vulnerability via a crafted repository name in a clone command.

CVE-2014-9390

is a security vulnerability that affects mercurial repositories in a
case-insensitive filesystem (eg. VFAT or HFS+). It allows for remote
code execution of a specially crafted repository. This is less severe
for the average Debian installation as they are usually set up with
case-sensitive filesystems.

NOTE: Tenable Network Security has extracted the preceding description
block directly from the DLA security advisory. Tenable has attempted
to automatically clean and format it as much as possible without
introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://lists.debian.org/debian-lts-announce/2015/06/msg00001.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/squeeze-lts/mercurial"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Upgrade the affected mercurial, and mercurial-common packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Malicious Git and Mercurial HTTP Server For CVE-2014-9390');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:mercurial");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:mercurial-common");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/03/31");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/06/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/06/05");
  script_set_attribute(attribute:"in_the_news", value:"true");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"6.0", prefix:"mercurial", reference:"1.6.4-1+deb6u1")) flag++;
if (deb_check(release:"6.0", prefix:"mercurial-common", reference:"1.6.4-1+deb6u1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

VendorProductVersionCPE
debiandebian_linuxmercurialp-cpe:/a:debian:debian_linux:mercurial
debiandebian_linuxmercurial-commonp-cpe:/a:debian:debian_linux:mercurial-common
debiandebian_linux6.0cpe:/o:debian:debian_linux:6.0

Vendor	Product	Version	CPE
debian	debian_linux	mercurial	p-cpe:/a:debian:debian_linux:mercurial
debian	debian_linux	mercurial-common	p-cpe:/a:debian:debian_linux:mercurial-common
debian	debian_linux	6.0	cpe:/o:debian:debian_linux:6.0