Bug 453550 (CVE-2008-2942)

Summary: CVE-2008-2942 mercurial: insufficient input validationn allowing file renames out of repository
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: dennis, mmcgrath, ndbecker2
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2942
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-04-15 07:17:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 464632    
Bug Blocks:    

Description Tomas Hoger 2008-07-01 09:50:11 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-2942 to the following vulnerability:

Directory traversal vulnerability in patch.py in Mercurial 1.0.1
allows user-assisted attackers to modify arbitrary files via ".." (dot
dot) sequences in a patch file.

Upstream patch (+ test case):
http://www.selenic.com/hg/rev/87c704ac92d4

References:
http://www.openwall.com/lists/oss-security/2008/06/30/1
Comment 1 Tomas Hoger 2008-07-01 09:54:12 UTC 
Test case from upstream commit:

echo % 'test paths outside repo root'
mkdir outside
touch outside/foo
hg init inside
cd inside
hg import - <<EOF
diff --git a/a b/b
rename from ../outside/foo
rename to bar
EOF
cd ..

This should affect all Fedora / EPEL versions.  Security implications are quite
minimal though (see also oss-security thread).
Comment 2 Dennis Gilmore 2009-03-19 19:38:40 UTC 
mercurial-1.2-2.el4.1 and mercurial-1.2-2.el5.1  built and on the way to testing