Bug 230193 (CVE-2008-2942)

Summary:	dev-util/mercurial <1.0.1-r2 Patch arbitrary file rename (CVE-2008-2942)
Product:	Gentoo Security	Reporter:	Robert Buchholz (RETIRED) <rbu>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	nelchael
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://www.selenic.com/hg/rev/87c704ac92d4
Whiteboard:	B3 [glsa]
Package list:		Runtime testing required:	---

Description Robert Buchholz (RETIRED) gentoo-dev

2008-06-30 14:59:31 UTC

Jakub Wilk reported:
I recently discovered that it is possible create a maliciously crafted
patch that, when imported by a victim, will rename arbitrary files, even
outside the repository.

Patch and reproducer:
http://www.selenic.com/hg/rev/87c704ac92d4

Comment 1 Krzysztof Pawlik (RETIRED) gentoo-dev

2008-07-01 06:34:42 UTC

mercurial-1.0.1-r2 with the linked patch is in the tree.

Comment 2 Robert Buchholz (RETIRED) gentoo-dev

2008-07-01 08:28:16 UTC

Arches, please test and mark stable:
=dev-util/mercurial-1.0.1-r2
Target keywords : "alpha amd64 ia64 ppc ppc64 sparc x86"

Comment 3 Thomas Anderson (tanderson) (RETIRED) gentoo-dev

2008-07-03 00:38:52 UTC

amd64 stable

Comment 4 Raúl Porcel (RETIRED) gentoo-dev

2008-07-03 16:07:10 UTC

alpha/ia64/sparc/x86 stable

Comment 5 Tobias Scherbaum (RETIRED) gentoo-dev

2008-07-05 10:28:20 UTC

ppc stable

Comment 6 Brent Baude (RETIRED) gentoo-dev

2008-07-05 13:39:24 UTC

ppc64 done

Comment 7 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-07-06 18:22:41 UTC

glsa vote... I vote YES.

Comment 8 Tobias Heinlein (RETIRED) gentoo-dev

2008-07-15 10:36:48 UTC

YES too, filing request.

Comment 9 Tobias Heinlein (RETIRED) gentoo-dev

2008-07-15 23:03:41 UTC

GLSA 200807-09.