[Secure-testing-team] Bug#773640: CVE-2014-9390: Errors in handling case-sensitive directories allow for remote code execution on pull
Javi Merino
vicho at debian.org
Sun Dec 21 11:38:02 UTC 2014
Package: mercurial
Version: 3.1.2-1
Severity: important
Tags: security upstream
CVE-2014-9390[0][1] is a security vulnerability that affects mercurial
repositories in a case-sensitive filesystem (eg. VFAT or HFS+). It
allows for remote code execution of a specially crafted repository.
This is less severe for the average Debian installation as they are
usually set up with case-insensitive filesystems.
[0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9390
[1] https://security-tracker.debian.org/tracker/CVE-2014-9390
This affects both Wheezy and Jessie.
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages mercurial depends on:
ii libc6 2.19-13
ii mercurial-common 3.1.2-1
ii python 2.7.8-2
ii ucf 3.0030
Versions of packages mercurial recommends:
ii openssh-client 1:6.7p1-3
Versions of packages mercurial suggests:
pn kdiff3 | kdiff3-qt | kompare | meld | tkcvs | mgdiff <none>
pn qct <none>
-- no debconf information
More information about the Secure-testing-team
mailing list