[Python-apps-team] Bug#500781: CVE-2008-4297: privilege escalation

Vincent Danjean Vincent.Danjean at ens-lyon.org
Thu Oct 2 19:49:55 UTC 2008


Steffen Joeris wrote:
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for mercurial.
> CVE-2008-4297[0]:
> | Mercurial before 1.0.2 does not enforce the allowpull permission
> | setting for a pull operation from hgweb, which allows remote attackers
> | to read arbitrary files from a repository via an "hg pull" request.
> I am not sure about the severity of this issue, could you please investigate it?

I saw it when mercurial 1.0.2 have been published. But I did not find any
specific changeset linked to this issue. If anyone (co-maintainer, user, ...)
can point me to the changeset, I can prepare a patch with it. I can also
package the whole 1.0.2 (I was waiting the lenny release to do it: RM
told me they would probably not accept this update without strong reasons [1]).
But, I'm sorry to tell that I will not have enough free time now to
look more closely to this issue and to search into the mercurial development
tree until a few weeks (too much real work for now).


[1] http://lists.debian.org/debian-release/2008/08/msg01341.html

Vincent Danjean       GPG key ID 0x9D025E87         vdanjean at debian.org
GPG key fingerprint: FC95 08A6 854D DB48 4B9A  8A94 0BF7 7867 9D02 5E87
Unofficial pacakges: http://www-id.imag.fr/~danjean/deb.html#package
APT repo:  deb http://perso.debian.org/~vdanjean/debian unstable main

More information about the Python-apps-team mailing list