[Python-apps-team] Bug#500781: CVE-2008-4297: privilege escalation
Vincent Danjean
Vincent.Danjean at ens-lyon.org
Thu Oct 2 19:49:55 UTC 2008
Hi,
Steffen Joeris wrote:
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for mercurial.
>
> CVE-2008-4297[0]:
> | Mercurial before 1.0.2 does not enforce the allowpull permission
> | setting for a pull operation from hgweb, which allows remote attackers
> | to read arbitrary files from a repository via an "hg pull" request.
>
> I am not sure about the severity of this issue, could you please investigate it?
I saw it when mercurial 1.0.2 have been published. But I did not find any
specific changeset linked to this issue. If anyone (co-maintainer, user, ...)
can point me to the changeset, I can prepare a patch with it. I can also
package the whole 1.0.2 (I was waiting the lenny release to do it: RM
told me they would probably not accept this update without strong reasons [1]).
But, I'm sorry to tell that I will not have enough free time now to
look more closely to this issue and to search into the mercurial development
tree until a few weeks (too much real work for now).
Regards,
Vincent
[1] http://lists.debian.org/debian-release/2008/08/msg01341.html
--
Vincent Danjean GPG key ID 0x9D025E87 vdanjean at debian.org
GPG key fingerprint: FC95 08A6 854D DB48 4B9A 8A94 0BF7 7867 9D02 5E87
Unofficial pacakges: http://www-id.imag.fr/~danjean/deb.html#package
APT repo: deb http://perso.debian.org/~vdanjean/debian unstable main
More information about the Python-apps-team
mailing list