1. TortoiseHg
  2. TortoiseHg
  3. thg
Issue #3702 closed

Client Heartbleed vulnerability

Anonymous created an issue

Near as I can tell, the packaged OpenSSL with the TortoiseHG Windows 32bit installer is vulnerable to CVE-2014-0160 ('Heartbleed').

OpenSSL binary is version 1.0.1c and compiled without the heartbeat disable switch:

Text strings referenced in libeay32:.text, item 85 Address=00B138F8 Disassembly=MOV EAX,libeay32.00BDC8E8 Text string=ASCII "OpenSSL 1.0.1c 10 May 2012"

Text strings referenced in libeay32:.text, item 88 Address=00B13927 Disassembly=PUSH libeay32.00BDC6D0 Text string=ASCII "cl /MD /Ox /O2 /Ob2 -DOPENSSL_THREADS -DDSO_WIN32 -W3 -Gs0 -GF -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPEN"...

Comments (7)

  1. Yuya Nishihara

    We have 3 OpenSSL-derived dlls in tortoisehg-2.11.2-hg-2.9.2-x86.msi.

    _ssl.pyd and _hashlib.pyd "OpenSSL 0.9.8y 5 Feb 2013" (not vulnerable)
    the main module used by Python interpreter
    LIBEAY32.dll "OpenSSL 1.0.1c 10 May 2012" (vulnerable)
    used by QtNetwork4.dll and libsvn_ra-1.dll (bundled with Subversion?)
    SSLEAY32.dll "OpenSSL 1.0.0e 6 Sep 2011" (not vulnerable)
    used by QtNetwork and libsvn_ra-1.dll (bundled with PyQt?)

    Mercurial uses Python ssl module, so most SSL communication will be safe. But if you use hgsubversion, it could be affected by CVE-2014-0160.

    We don't use SSL through QtNetwork4, so it can be ignored.


    Reference:


    EDIT: "1.0.0e" is not vulnerable

  2. Steve Borho

    The sad fact is that these DLLs are only used by the subversion bindings - yet another reason to drop the stupid things.

    The only way to update these DLLs is for someone to compile new x86 and x64 subversion SWIG bindings - something the subversion community has never done for themselves

  3. Yuya Nishihara

    Status of 3.4:

    • LIBEAY32.dll and SSLEAY.dll are no longer in PATH, #4088
    • Subversion SWIG bindings are no longer included
    • strings _ssl.pyd says "OpenSSL 1.0.1j"
    • 32bit package bundles LIBEAY32.dll 1.0.1h, SSLEAY32.dll 1.0.0e
    • 64bit package bundles LIBEAY32.dll 1.0.1h, SSLEAY32.dll 1.0.1h
  4. Log in to comment