[Python-apps-team] Bug#500781: CVE-2008-4297: privilege escalation

Nico Golde nion at debian.org
Fri Oct 3 13:04:28 UTC 2008

Hi Steffen,
* Steffen Joeris <steffen.joeris at skolelinux.de> [2008-10-01 15:59]:
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for mercurial.
> CVE-2008-4297[0]:
> | Mercurial before 1.0.2 does not enforce the allowpull permission
> | setting for a pull operation from hgweb, which allows remote attackers
> | to read arbitrary files from a repository via an "hg pull" request.
> I am not sure about the severity of this issue, could you please investigate it?

I'd say grave would be appropriate as the repository could 
contain sensitive information that should not be pulled. The 
only thing with that is that hgweb itself is not shipped 
within the Debian package but I guess a lot of people are 
using the source package to extract the cgi script anyway.

Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/python-apps-team/attachments/20081003/c30c9a84/attachment.pgp 

More information about the Python-apps-team mailing list