new file mode 100644

@@ -0,0 +1,53 @@

+--- a/mercurial/subrepo.py	Wed Mar 16 17:30:26 2016 -0700

+@@ -1383,6 +1383,11 @@

+         are not supported and very probably fail.

+         """

+         self.ui.debug('%s: git %s\n' % (self._relpath, ' '.join(commands)))

++        if env is None:

++            env = os.environ.copy()

++        # fix for Git CVE-2015-7545

++        if 'GIT_ALLOW_PROTOCOL' not in env:

++            env['GIT_ALLOW_PROTOCOL'] = 'file:git:http:https:ssh'

+         # unless ui.quiet is set, print git's stderr,

+         # which is mostly progress and useful info

+         errpipe = None

+--- a/tests/test-subrepo-git.t	Wed Mar 16 17:30:26 2016 -0700

+@@ -1132,4 +1132,36 @@

+   ? s/foobar.orig

+   ? s/snake.python.orig

+ 

++test for Git CVE-2016-3068

++  $ hg init malicious-subrepository

++  $ cd malicious-subrepository

++  $ echo "s = [git]ext::sh -c echo% pwned% >&2" > .hgsub

++  $ git init s

++  Initialized empty Git repository in $TESTTMP/tc/malicious-subrepository/s/.git/

++  $ cd s

++  $ git commit --allow-empty -m 'empty'

++  [master (root-commit) 153f934] empty

+   $ cd ..

++  $ hg add .hgsub

++  $ hg commit -m "add subrepo"

++  $ cd ..

++  $ env -u GIT_ALLOW_PROTOCOL hg clone malicious-subrepository malicious-subrepository-protected

++  Cloning into '$TESTTMP/tc/malicious-subrepository-protected/s'...

++  fatal: transport 'ext' not allowed

++  updating to branch default

++  cloning subrepo s from ext::sh -c echo% pwned% >&2

++  abort: git clone error 128 in s (in subrepo s)

++  [255]

++

++whitelisting of ext should be respected (that's the git submodule behaviour)

++  $ env GIT_ALLOW_PROTOCOL=ext hg clone malicious-subrepository malicious-subrepository-clone-allowed

++  Cloning into '$TESTTMP/tc/malicious-subrepository-clone-allowed/s'...

++  pwned

++  fatal: Could not read from remote repository.

++  

++  Please make sure you have the correct access rights

++  and the repository exists.

++  updating to branch default

++  cloning subrepo s from ext::sh -c echo% pwned% >&2

++  abort: git clone error 128 in s (in subrepo s)

++  [255]

new file mode 100644

@@ -0,0 +1,50 @@

+--- a/hgext/convert/git.py	Sun Mar 20 21:52:21 2016 -0700

+@@ -11,7 +11,7 @@

+ from mercurial.node import hex, nullid

+ from mercurial.i18n import _

+ 

+-from common import NoRepo, commit, converter_source, checktool

++from common import NoRepo, commit, converter_source, checktool, commandline

+ 

+ class submodule(object):

+     def __init__(self, path, node, url):

+@@ -25,7 +25,7 @@

+     def hgsubstate(self):

+         return "%s %s" % (self.node, self.path)

+ 

+-class convert_git(converter_source):

++class convert_git(converter_source, commandline):

+     # Windows does not support GIT_DIR= construct while other systems

+     # cannot remove environment variable. Just assume none have

+     # both issues.

+@@ -71,6 +71,21 @@

+         def gitpipe(self, s):

+             return util.popen3('GIT_DIR=%s %s' % (self.path, s))

+ 

++    def _gitcmd(self, cmd, *args, **kwargs):

++        return cmd('--git-dir=%s' % self.path, *args, **kwargs)

++

++    def gitrun0(self, *args, **kwargs):

++        return self._gitcmd(self.run0, *args, **kwargs)

++

++    def gitrun(self, *args, **kwargs):

++        return self._gitcmd(self.run, *args, **kwargs)

++

++    def gitrunlines0(self, *args, **kwargs):

++        return self._gitcmd(self.runlines0, *args, **kwargs)

++

++    def gitrunlines(self, *args, **kwargs):

++        return self._gitcmd(self.runlines, *args, **kwargs)

++

+     def popen_with_stderr(self, s):

+         p = subprocess.Popen(s, shell=True, bufsize=-1,

+                              close_fds=util.closefds,

+@@ -88,6 +103,7 @@

+ 

+     def __init__(self, ui, path, revs=None):

+         super(convert_git, self).__init__(ui, path, revs=revs)

++        commandline.__init__(self, ui, 'git')

+ 

+         if os.path.isdir(path + "/.git"):

+             path += "/.git"

new file mode 100644

@@ -0,0 +1,173 @@

+--- a/hgext/convert/git.py	Tue Mar 22 17:05:11 2016 -0700

+@@ -115,13 +115,13 @@

+         if similarity < 0 or similarity > 100:

+             raise error.Abort(_('similarity must be between 0 and 100'))

+         if similarity > 0:

+-            self.simopt = '-C%d%%' % similarity

++            self.simopt = ['-C%d%%' % similarity]

+             findcopiesharder = ui.configbool('convert', 'git.findcopiesharder',

+                                              False)

+             if findcopiesharder:

+-                self.simopt += ' --find-copies-harder'

++                self.simopt.append('--find-copies-harder')

+         else:

+-            self.simopt = ''

++            self.simopt = []

+ 

+         checktool('git', 'git')

+ 

+@@ -136,14 +136,14 @@

+ 

+     def getheads(self):

+         if not self.revs:

+-            heads, ret = self.gitread('git rev-parse --branches --remotes')

+-            heads = heads.splitlines()

+-            if ret:

++            output, status = self.gitrun('rev-parse', '--branches', '--remotes')

++            heads = output.splitlines()

++            if status:

+                 raise error.Abort(_('cannot retrieve git heads'))

+         else:

+             heads = []

+             for rev in self.revs:

+-                rawhead, ret = self.gitread("git rev-parse --verify %s" % rev)

++                rawhead, ret = self.gitrun('rev-parse', '--verify', rev)

+                 heads.append(rawhead[:-1])

+                 if ret:

+                     raise error.Abort(_('cannot retrieve git head "%s"') % rev)

+@@ -203,7 +203,7 @@

+                 self.submodules.append(submodule(s['path'], '', s['url']))

+ 

+     def retrievegitmodules(self, version):

+-        modules, ret = self.gitread("git show %s:%s" % (version, '.gitmodules'))

++        modules, ret = self.gitrun('show', '%s:%s' % (version, '.gitmodules'))

+         if ret:

+             # This can happen if a file is in the repo that has permissions

+             # 160000, but there is no .gitmodules file.

+@@ -219,7 +219,7 @@

+             return

+ 

+         for m in self.submodules:

+-            node, ret = self.gitread("git rev-parse %s:%s" % (version, m.path))

++            node, ret = self.gitrun('rev-parse', '%s:%s' % (version, m.path))

+             if ret:

+                 continue

+             m.node = node.strip()

+@@ -228,15 +228,17 @@

+         if full:

+             raise error.Abort(_("convert from git does not support --full"))

+         self.modecache = {}

+-        fh = self.gitopen("git diff-tree -z --root -m -r %s %s" % (

+-            self.simopt, version))

++        cmd = ['diff-tree','-z', '--root', '-m', '-r'] + self.simopt + [version]

++        output, status = self.gitrun(*cmd)

++        if status:

++            raise error.Abort(_('cannot read changes in %s') % version)

+         changes = []

+         copies = {}

+         seen = set()

+         entry = None

+         subexists = [False]

+         subdeleted = [False]

+-        difftree = fh.read().split('\x00')

++        difftree = output.split('\x00')

+         lcount = len(difftree)

+         i = 0

+ 

+@@ -298,8 +300,6 @@

+                     if f != '.gitmodules' and fdest != '.gitmodules':

+                         copies[fdest] = f

+             entry = None

+-        if fh.close():

+-            raise error.Abort(_('cannot read changes in %s') % version)

+ 

+         if subexists[0]:

+             if subdeleted[0]:

+@@ -345,17 +345,23 @@

+         return c

+ 

+     def numcommits(self):

+-        return len([None for _ in self.gitopen('git rev-list --all')])

++        output, ret = self.gitrunlines('rev-list', '--all')

++        if ret:

++            raise error.Abort(_('cannot retrieve number of commits in %s') \

++                              % self.path)

++        return len(output)

+ 

+     def gettags(self):

+         tags = {}

+         alltags = {}

+-        fh = self.gitopen('git ls-remote --tags "%s"' % self.path,

+-                          err=subprocess.STDOUT)

++        output, status = self.gitrunlines('ls-remote', '--tags', self.path)

++

++        if status:

++            raise error.Abort(_('cannot read tags from %s') % self.path)

+         prefix = 'refs/tags/'

+ 

+         # Build complete list of tags, both annotated and bare ones

+-        for line in fh:

++        for line in output:

+             line = line.strip()

+             if line.startswith("error:") or line.startswith("fatal:"):

+                 raise error.Abort(_('cannot read tags from %s') % self.path)

+@@ -363,8 +369,6 @@

+             if not tag.startswith(prefix):

+                 continue

+             alltags[tag[len(prefix):]] = node

+-        if fh.close():

+-            raise error.Abort(_('cannot read tags from %s') % self.path)

+ 

+         # Filter out tag objects for annotated tag refs

+         for tag in alltags:

+@@ -381,18 +385,20 @@

+     def getchangedfiles(self, version, i):

+         changes = []

+         if i is None:

+-            fh = self.gitopen("git diff-tree --root -m -r %s" % version)

+-            for l in fh:

++            output, status = self.gitrunlines('diff-tree', '--root', '-m',

++                                              '-r', version)

++            if status:

++                raise error.Abort(_('cannot read changes in %s') % version)

++            for l in output:

+                 if "\t" not in l:

+                     continue

+                 m, f = l[:-1].split("\t")

+                 changes.append(f)

+         else:

+-            fh = self.gitopen('git diff-tree --name-only --root -r %s '

+-                              '"%s^%s" --' % (version, version, i + 1))

+-            changes = [f.rstrip('\n') for f in fh]

+-        if fh.close():

+-            raise error.Abort(_('cannot read changes in %s') % version)

++            output, status = self.gitrunlines('diff-tree', '--name-only',

++                                              '--root', '-r', version,

++                                              '%s^%s' % (version, i + 1), '--')

++            changes = [f.rstrip('\n') for f in output]

+ 

+         return changes

+ 

+@@ -412,8 +418,8 @@

+         ])

+ 

+         try:

+-            fh = self.gitopen('git show-ref', err=subprocess.PIPE)

+-            for line in fh:

++            output, status = self.gitrunlines('show-ref')

++            for line in output:

+                 line = line.strip()

+                 rev, name = line.split(None, 1)

+                 # Process each type of branch

+--- a/tests/test-convert-git.t	Tue Mar 22 17:05:11 2016 -0700

+@@ -714,7 +714,7 @@

+   $ COMMIT_OBJ=1c/0ce3c5886f83a1d78a7b517cdff5cf9ca17bdd

+   $ mv git-repo4/.git/objects/$COMMIT_OBJ git-repo4/.git/objects/$COMMIT_OBJ.tmp

+   $ hg convert git-repo4 git-repo4-broken-hg 2>&1 | grep 'abort:'

+-  abort: cannot read tags from git-repo4/.git

++  abort: cannot retrieve number of commits in git-repo4/.git

+   $ mv git-repo4/.git/objects/$COMMIT_OBJ.tmp git-repo4/.git/objects/$COMMIT_OBJ

+ damage git repository by renaming a blob object

+ 

new file mode 100644

@@ -0,0 +1,59 @@

+--- a/hgext/convert/git.py	Tue Mar 22 17:05:11 2016 -0700

+@@ -30,23 +30,6 @@

+     # cannot remove environment variable. Just assume none have

+     # both issues.

+     if util.safehasattr(os, 'unsetenv'):

+-        def gitopen(self, s, err=None):

+-            prevgitdir = os.environ.get('GIT_DIR')

+-            os.environ['GIT_DIR'] = self.path

+-            try:

+-                if err == subprocess.PIPE:

+-                    (stdin, stdout, stderr) = util.popen3(s)

+-                    return stdout

+-                elif err == subprocess.STDOUT:

+-                    return self.popen_with_stderr(s)

+-                else:

+-                    return util.popen(s, 'rb')

+-            finally:

+-                if prevgitdir is None:

+-                    del os.environ['GIT_DIR']

+-                else:

+-                    os.environ['GIT_DIR'] = prevgitdir

+-

+         def gitpipe(self, s):

+             prevgitdir = os.environ.get('GIT_DIR')

+             os.environ['GIT_DIR'] = self.path

+@@ -59,15 +42,6 @@

+                     os.environ['GIT_DIR'] = prevgitdir

+ 

+     else:

+-        def gitopen(self, s, err=None):

+-            if err == subprocess.PIPE:

+-                (sin, so, se) = util.popen3('GIT_DIR=%s %s' % (self.path, s))

+-                return so

+-            elif err == subprocess.STDOUT:

+-                    return self.popen_with_stderr(s)

+-            else:

+-                return util.popen('GIT_DIR=%s %s' % (self.path, s), 'rb')

+-

+         def gitpipe(self, s):

+             return util.popen3('GIT_DIR=%s %s' % (self.path, s))

+ 

+@@ -86,16 +60,6 @@

+     def gitrunlines(self, *args, **kwargs):

+         return self._gitcmd(self.runlines, *args, **kwargs)

+ 

+-    def popen_with_stderr(self, s):

+-        p = subprocess.Popen(s, shell=True, bufsize=-1,

+-                             close_fds=util.closefds,

+-                             stdin=subprocess.PIPE,

+-                             stdout=subprocess.PIPE,

+-                             stderr=subprocess.STDOUT,

+-                             universal_newlines=False,

+-                             env=None)

+-        return p.stdout

+-

+     def gitread(self, s):

+         fh = self.gitopen(s)

+         data = fh.read()

new file mode 100644

@@ -0,0 +1,55 @@

+--- a/hgext/convert/common.py	Tue Mar 22 17:05:11 2016 -0700

+@@ -341,6 +341,9 @@

+     def _run2(self, cmd, *args, **kwargs):

+         return self._dorun(util.popen2, cmd, *args, **kwargs)

+ 

++    def _run3(self, cmd, *args, **kwargs):

++        return self._dorun(util.popen3, cmd, *args, **kwargs)

++

+     def _dorun(self, openfunc, cmd,  *args, **kwargs):

+         cmdline = self._cmdline(cmd, *args, **kwargs)

+         self.ui.debug('running: %s\n' % (cmdline,))

+--- a/hgext/convert/git.py	Tue Mar 22 17:05:11 2016 -0700

+@@ -29,21 +29,6 @@

+     # Windows does not support GIT_DIR= construct while other systems

+     # cannot remove environment variable. Just assume none have

+     # both issues.

+-    if util.safehasattr(os, 'unsetenv'):

+-        def gitpipe(self, s):

+-            prevgitdir = os.environ.get('GIT_DIR')

+-            os.environ['GIT_DIR'] = self.path

+-            try:

+-                return util.popen3(s)

+-            finally:

+-                if prevgitdir is None:

+-                    del os.environ['GIT_DIR']

+-                else:

+-                    os.environ['GIT_DIR'] = prevgitdir

+-

+-    else:

+-        def gitpipe(self, s):

+-            return util.popen3('GIT_DIR=%s %s' % (self.path, s))

+ 

+     def _gitcmd(self, cmd, *args, **kwargs):

+         return cmd('--git-dir=%s' % self.path, *args, **kwargs)

+@@ -60,6 +45,9 @@

+     def gitrunlines(self, *args, **kwargs):

+         return self._gitcmd(self.runlines, *args, **kwargs)

+ 

++    def gitpipe(self, *args, **kwargs):

++        return self._gitcmd(self._run3, *args, **kwargs)

++

+     def gitread(self, s):

+         fh = self.gitopen(s)

+         data = fh.read()

+@@ -92,7 +80,7 @@

+         self.path = path

+         self.submodules = []

+ 

+-        self.catfilepipe = self.gitpipe('git cat-file --batch')

++        self.catfilepipe = self.gitpipe('cat-file', '--batch')

+ 

+     def after(self):

+         for f in self.catfilepipe:

new file mode 100644

@@ -0,0 +1,23 @@

+--- a/tests/test-convert-git.t	Tue Mar 22 17:05:11 2016 -0700

+@@ -729,3 +729,20 @@

+   $ mv git-repo4/.git/objects/$TREE_OBJ git-repo4/.git/objects/$TREE_OBJ.tmp

+   $ hg convert git-repo4 git-repo4-broken-hg 2>&1 | grep 'abort:'

+   abort: cannot read changes in 1c0ce3c5886f83a1d78a7b517cdff5cf9ca17bdd

++

++test for escaping the repo name (CVE-2016-3069)

++

++  $ git init '`echo pwned >COMMAND-INJECTION`'

++  Initialized empty Git repository in $TESTTMP/`echo pwned >COMMAND-INJECTION`/.git/

++  $ cd '`echo pwned >COMMAND-INJECTION`'

++  $ git commit -q --allow-empty -m 'empty'

++  $ cd ..

++  $ hg convert '`echo pwned >COMMAND-INJECTION`' 'converted'

++  initializing destination converted repository

++  scanning source...

++  sorting...

++  converting...

++  0 empty

++  updating bookmarks

++  $ test -f COMMAND-INJECTION

++  [1]

new file mode 100644

@@ -0,0 +1,62 @@

+--- a/hgext/convert/git.py  Sun May 01 13:52:26 2016 -0500

+@@ -57,6 +57,10 @@ class convert_git(converter_source, commandline):

+         super(convert_git, self).__init__(ui, path, revs=revs)

+         commandline.__init__(self, ui, 'git')

+ 

++        # Pass an absolute path to git to prevent from ever being interpreted

++        # as a URL

++        path = os.path.abspath(path)

++

+         if os.path.isdir(path + "/.git"):

+             path += "/.git"

+         if not os.path.exists(path + "/objects"):

+

+--- a/tests/test-convert-git.t  Sun May 01 13:52:26 2016 -0500

+@@ -714,7 +714,7 @@

+   $ COMMIT_OBJ=1c/0ce3c5886f83a1d78a7b517cdff5cf9ca17bdd

+   $ mv git-repo4/.git/objects/$COMMIT_OBJ git-repo4/.git/objects/$COMMIT_OBJ.tmp

+   $ hg convert git-repo4 git-repo4-broken-hg 2>&1 | grep 'abort:'

+-  abort: cannot retrieve number of commits in git-repo4/.git

++  abort: cannot retrieve number of commits in $TESTTMP/git-repo4/.git

+   $ mv git-repo4/.git/objects/$COMMIT_OBJ.tmp git-repo4/.git/objects/$COMMIT_OBJ

+ damage git repository by renaming a blob object

+ 

+@@ -746,3 +746,21 @@ test for escaping the repo name (CVE-2016-3069)

+   updating bookmarks

+   $ test -f COMMAND-INJECTION

+   [1]

++

++test for safely passing paths to git (CVE-2016-3105)

++

++  $ git init 'ext::sh -c echo% pwned% >GIT-EXT-COMMAND-INJECTION% #'

++  Initialized empty Git repository in $TESTTMP/ext::sh -c echo% pwned% >GIT-EXT-COMMAND-INJECTION% #/.git/

++  $ cd 'ext::sh -c echo% pwned% >GIT-EXT-COMMAND-INJECTION% #'

++  $ git commit -q --allow-empty -m 'empty'

++  $ cd ..

++  $ hg convert 'ext::sh -c echo% pwned% >GIT-EXT-COMMAND-INJECTION% #' 'converted-git-ext'

++  initializing destination converted-git-ext repository

++  scanning source...

++  sorting...

++  converting...

++  0 empty

++  updating bookmarks

++  $ test -f GIT-EXT-COMMAND-INJECTION

++  [1]

++

+

+

+--- a/tests/test-convert.t  Sun May 01 13:52:26 2016 -0500

+@@ -422,7 +422,7 @@

+   assuming destination emptydir-hg

+   initializing destination emptydir-hg repository

+   emptydir does not look like a CVS checkout

+-  emptydir does not look like a Git repository

++  $TESTTMP/emptydir does not look like a Git repository

+   emptydir does not look like a Subversion repository

+   emptydir is not a local Mercurial repository

+   emptydir does not look like a darcs repository

+

+

@@ -1,23 +1,37 @@

-Summary:	Mercurial-3.1.2

-Name:		mercurial

-Version:	3.7.1

-Release:	4%{?dist}

-License:	GPLv2+

-URL:		https://www.ruby-lang.org/en/

-Group:		System Environment/Security

-Vendor:		VMware, Inc.

+Summary:    A free, distributed source control management tool.

+Name:       mercurial

+Version:    3.7.1

+Release:    5%{?dist}

+License:    GPLv2+

+URL:        https://www.ruby-lang.org/en/

+Group:      System Environment/Security

+Vendor:     VMware, Inc.

 Distribution: Photon

-Source0:	http://mercurial.selenic.com/release/%{name}-%{version}.tar.gz

+Source0:    http://mercurial.selenic.com/release/%{name}-%{version}.tar.gz

 %define sha1 mercurial=8ce55b297c6a62e987657498746eeca870301ffb

-BuildRequires:	python2-devel

-BuildRequires:	python2-libs

-Requires:	python2

+Patch0:   hg-CVE-2016-3068.patch

+Patch1:   hg-CVE-2016-3069-1.patch

+Patch2:   hg-CVE-2016-3069-2.patch

+Patch3:   hg-CVE-2016-3069-3.patch

+Patch4:   hg-CVE-2016-3069-4.patch

+Patch5:   hg-CVE-2016-3069-5.patch

+Patch6:   hg-CVE-2016-3105.patch

+BuildRequires:  python2-devel

+BuildRequires:  python2-libs

+Requires:   python2

 %description

 Mercurial is a distributed source control management tool similar to Git and Bazaar.

 Mercurial is written in Python and is used by projects such as Mozilla and Vim.

 %prep

 %setup -q

+%patch0 -p1

+%patch1 -p1

+%patch2 -p1

+%patch3 -p1

+%patch4 -p1

+%patch5 -p1

+%patch6 -p1

 %build

 make build

 %install

@@ -63,19 +77,21 @@ rm -rf %{buildroot}/*

 %exclude /var/opt/%{name}-%{version}/contrib/plan9

 %exclude /var/opt/%{name}-%{version}/build/temp.*

 %changelog

-*       Fri Oct 07 2016 ChangLee <changlee@vmware.com> 3.7.1-4

--       Modified %check

-*	Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 3.7.1-3

--	GA - Bump release of all rpms

-*	Wed May 04 2016 Anish Swaminathan <anishs@vmware.com> 3.7.1-2

--	Edit postun script.

-*       Thu Feb 25 2016 Kumar Kaushik <kaushikk@vmware.com> 3.7.1-1

--       Updating Version.

-*	Wed Dec 09 2015 Anish Swaminathan <anishs@vmware.com> 3.1.2-4

--	Edit post script.

-*	Mon Nov 16 2015 Sharath George <sharathg@vmware.com> 3.1.2-3

--	Change path to /var/opt.

-*	Tue Jun 30 2015 Alexey Makhalov <amakhalov@vmware.com> 3.1.2-2

--	/etc/profile.d permission fix

-*	Mon Oct 13 2014 Divya Thaluru <dthaluru@vmware.com> 3.1.2-1

--	Initial build.	First version

+*   Tue Nov 22 2016 Xiaolin Li <xiaolinl@vmware.com> 3.7.1-5

+-   Apply patches for CVE-2016-3068, CVE-2016-3069, CVE-2016-3105

+*   Fri Oct 07 2016 ChangLee <changlee@vmware.com> 3.7.1-4

+-   Modified %check

+*   Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 3.7.1-3

+-   GA - Bump release of all rpms

+*   Wed May 04 2016 Anish Swaminathan <anishs@vmware.com> 3.7.1-2

+-   Edit postun script.

+*   Thu Feb 25 2016 Kumar Kaushik <kaushikk@vmware.com> 3.7.1-1

+-   Updating Version.

+*   Wed Dec 09 2015 Anish Swaminathan <anishs@vmware.com> 3.1.2-4

+-   Edit post script.

+*   Mon Nov 16 2015 Sharath George <sharathg@vmware.com> 3.1.2-3

+-   Change path to /var/opt.

+*   Tue Jun 30 2015 Alexey Makhalov <amakhalov@vmware.com> 3.1.2-2

+-   /etc/profile.d permission fix

+*   Mon Oct 13 2014 Divya Thaluru <dthaluru@vmware.com> 3.1.2-1

+-   Initial build.  First version