Jakub Wilk reported: I recently discovered that it is possible create a maliciously crafted patch that, when imported by a victim, will rename arbitrary files, even outside the repository. Patch and reproducer: http://www.selenic.com/hg/rev/87c704ac92d4
mercurial-1.0.1-r2 with the linked patch is in the tree.
Arches, please test and mark stable: =dev-util/mercurial-1.0.1-r2 Target keywords : "alpha amd64 ia64 ppc ppc64 sparc x86"
amd64 stable
alpha/ia64/sparc/x86 stable
ppc stable
ppc64 done
glsa vote... I vote YES.
YES too, filing request.
GLSA 200807-09.