blob: c5e720cbb67b7e6ca04905bd42daeae22714b1f7 [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200807-09">
<title>Mercurial: Directory traversal</title>
A directory traversal vulnerability in Mercurial allows for the renaming of
arbitrary files.
<product type="ebuild">mercurial</product>
<announced>July 15, 2008</announced>
<revised>July 15, 2008: 01</revised>
<package name="dev-util/mercurial" auto="yes" arch="*">
<unaffected range="ge">1.0.1-r2</unaffected>
<vulnerable range="lt">1.0.1-r2</vulnerable>
Mercurial is a distributed Source Control Management system.
Jakub Wilk discovered a directory traversal vulnerabilty in the
applydiff() function in the mercurial/ file.
<impact type="normal">
A remote attacker could entice a user to import a specially crafted
patch, possibly resulting in the renaming of arbitrary files, even
outside the repository.
There is no known workaround at this time.
All Mercurial users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=dev-util/mercurial-1.0.1-r2&quot;</code>
<uri link="">CVE-2008-2942</uri>
<metadata tag="requester" timestamp="Tue, 15 Jul 2008 10:37:24 +0000">
<metadata tag="submitter" timestamp="Tue, 15 Jul 2008 11:41:04 +0000">
<metadata tag="bugReady" timestamp="Tue, 15 Jul 2008 11:48:10 +0000">