Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 230193 (CVE-2008-2942) - dev-util/mercurial <1.0.1-r2 Patch arbitrary file rename (CVE-2008-2942)
Summary: dev-util/mercurial <1.0.1-r2 Patch arbitrary file rename (CVE-2008-2942)
Alias: CVE-2008-2942
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on:
Reported: 2008-06-30 14:59 UTC by Robert Buchholz (RETIRED)
Modified: 2008-07-15 23:03 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-06-30 14:59:31 UTC
Jakub Wilk reported:
I recently discovered that it is possible create a maliciously crafted
patch that, when imported by a victim, will rename arbitrary files, even
outside the repository.

Patch and reproducer:
Comment 1 Krzysztof Pawlik (RETIRED) gentoo-dev 2008-07-01 06:34:42 UTC
mercurial-1.0.1-r2 with the linked patch is in the tree.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-07-01 08:28:16 UTC
Arches, please test and mark stable:
Target keywords : "alpha amd64 ia64 ppc ppc64 sparc x86"
Comment 3 Thomas Anderson (tanderson) (RETIRED) gentoo-dev 2008-07-03 00:38:52 UTC
amd64 stable
Comment 4 Raúl Porcel (RETIRED) gentoo-dev 2008-07-03 16:07:10 UTC
alpha/ia64/sparc/x86 stable
Comment 5 Tobias Scherbaum (RETIRED) gentoo-dev 2008-07-05 10:28:20 UTC
ppc stable
Comment 6 Brent Baude (RETIRED) gentoo-dev 2008-07-05 13:39:24 UTC
ppc64 done
Comment 7 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-07-06 18:22:41 UTC
glsa vote... I vote YES.
Comment 8 Tobias Heinlein (RETIRED) gentoo-dev 2008-07-15 10:36:48 UTC
YES too, filing request.
Comment 9 Tobias Heinlein (RETIRED) gentoo-dev 2008-07-15 23:03:41 UTC
GLSA 200807-09.