Ubuntu
mercurial package

mercurial: insufficient input validation allowing file renames out of repository

Bug #244804 reported by tonfa
256
Affects Status Importance Assigned to Milestone
mercurial (Debian)
Fix Released
Unknown
mercurial (Fedora)
Fix Released
Low
mercurial (Ubuntu)
Fix Released
High
Unassigned
Dapper
Won't Fix
Undecided
Unassigned
Feisty
Won't Fix
Undecided
Unassigned
Gutsy
Won't Fix
Undecided
Unassigned
Hardy
Won't Fix
Undecided
Unassigned

Bug Description

Binary package hint: mercurial

Copying from the red hat bug report:
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-2942 to the following vulnerability:

Directory traversal vulnerability in patch.py in Mercurial 1.0.1
allows user-assisted attackers to modify arbitrary files via ".." (dot
dot) sequences in a patch file.

Upstream patch (+ test case):
http://www.selenic.com/hg/rev/87c704ac92d4

References:
http://www.openwall.com/lists/oss-security/2008/06/30/1

CVE References

Revision history for this message
In , Tomas (tomas-redhat-bugs) wrote :

Common Vulnerabilities and Exposures assigned an identifier CVE-2008-2942 to the following vulnerability:

Directory traversal vulnerability in patch.py in Mercurial 1.0.1
allows user-assisted attackers to modify arbitrary files via ".." (dot
dot) sequences in a patch file.

Upstream patch (+ test case):
http://www.selenic.com/hg/rev/87c704ac92d4

References:
http://www.openwall.com/lists/oss-security/2008/06/30/1

Revision history for this message
In , Tomas (tomas-redhat-bugs) wrote :

Test case from upstream commit:

echo % 'test paths outside repo root'
mkdir outside
touch outside/foo
hg init inside
cd inside
hg import - <<EOF
diff --git a/a b/b
rename from ../outside/foo
rename to bar
EOF
cd ..

This should affect all Fedora / EPEL versions. Security implications are quite
minimal though (see also oss-security thread).

Bug Watch Updater (bug-watch-updater)
Changed in mercurial:
status: Unknown → Confirmed
Bug Watch Updater (bug-watch-updater)
Changed in mercurial:
status: Unknown → Fix Released
Revision history for this message
Emilio Pozuelo Monfort (pochu) wrote :

Sync requested in bug 244856

Changed in mercurial:
importance: Undecided → High
status: New → In Progress
Revision history for this message
Scott Kitterman (kitterman) wrote :

Fixed in Intrepid.

Changed in mercurial:
status: In Progress → Fix Released
Revision history for this message
Scott Kitterman (kitterman) wrote :

Needs to be investigated for the other releases.

Revision history for this message
Emanuele Gentili (emgent) wrote :

UPSTREAM FIX: http://www.selenic.com/hg/rev/87c704ac92d4

Revision history for this message
Hew (hew) wrote :

Ubuntu Feisty Fawn is no longer supported, so a SRU will not be issued for this release. Marking Feisty as Won't Fix.

Changed in mercurial:
status: New → Won't Fix
Revision history for this message
In , Dennis (dennis-redhat-bugs) wrote :

mercurial-1.2-2.el4.1 and mercurial-1.2-2.el5.1 built and on the way to testing

Bug Watch Updater (bug-watch-updater)
Changed in mercurial (Fedora):
status: Confirmed → Fix Released
Revision history for this message
Sergio Zanchetta (primes2h) wrote :

The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the
Gutsy task.

Changed in mercurial (Ubuntu Gutsy):
status: New → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. dapper has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against dapper is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in mercurial (Ubuntu Dapper):
status: New → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug and helping to make Ubuntu better. The package referred to in this bug is in universe or multiverse and reported against a release of Ubuntu (hardy) which no longer receives updates outside of the explicitly supported LTS packages. While the bug against hardy is being marked "Won't Fix" for now, if you are interested feel free to post a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures'

Please feel free to report any other bugs you may find.

Changed in mercurial (Ubuntu Hardy):
status: New → Won't Fix
Bug Watch Updater (bug-watch-updater)
Changed in mercurial (Fedora):
importance: Unknown → Low
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.