[Python-apps-team] Bug#500781: Bug#500781: CVE-2008-4297: privilege escalation

Vincent Danjean Vincent.Danjean at ens-lyon.org
Fri Oct 3 13:31:46 UTC 2008

Nico Golde wrote:
> Hi Steffen,
> * Steffen Joeris <steffen.joeris at skolelinux.de> [2008-10-01 15:59]:
>> Hi,
>> the following CVE (Common Vulnerabilities & Exposures) id was
>> published for mercurial.
>> CVE-2008-4297[0]:
>> | Mercurial before 1.0.2 does not enforce the allowpull permission
>> | setting for a pull operation from hgweb, which allows remote attackers
>> | to read arbitrary files from a repository via an "hg pull" request.
>> I am not sure about the severity of this issue, could you please investigate it?
> I'd say grave would be appropriate as the repository could 
> contain sensitive information that should not be pulled. The 
> only thing with that is that hgweb itself is not shipped 
> within the Debian package but I guess a lot of people are 
> using the source package to extract the cgi script anyway.

hgweb is not setup by default (because it needs manual editions)
But hgweb.cgi, hgwebdir.cgi, and hgwebdir.fcgi are installed in


> Cheers
> Nico
> ------------------------------------------------------------------------
> _______________________________________________
> Python-apps-team mailing list
> Python-apps-team at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/python-apps-team

Vincent Danjean       GPG key ID 0x9D025E87         vdanjean at debian.org
GPG key fingerprint: FC95 08A6 854D DB48 4B9A  8A94 0BF7 7867 9D02 5E87
Unofficial pacakges: http://www-id.imag.fr/~danjean/deb.html#package
APT repo:  deb http://perso.debian.org/~vdanjean/debian unstable main

More information about the Python-apps-team mailing list