Common Vulnerabilities and Exposures assigned an identifier CVE-2008-2942 to the following vulnerability: Directory traversal vulnerability in patch.py in Mercurial 1.0.1 allows user-assisted attackers to modify arbitrary files via ".." (dot dot) sequences in a patch file. Upstream patch (+ test case): http://www.selenic.com/hg/rev/87c704ac92d4 References: http://www.openwall.com/lists/oss-security/2008/06/30/1
Test case from upstream commit: echo % 'test paths outside repo root' mkdir outside touch outside/foo hg init inside cd inside hg import - <<EOF diff --git a/a b/b rename from ../outside/foo rename to bar EOF cd .. This should affect all Fedora / EPEL versions. Security implications are quite minimal though (see also oss-security thread).
mercurial-1.2-2.el4.1 and mercurial-1.2-2.el5.1 built and on the way to testing