[Python-apps-team] Bug#773640: CVE-2014-9390: Errors in handling case-sensitive directories allow for remote code execution on pull

Javi Merino vicho at debian.org
Sun Dec 21 11:38:02 UTC 2014

Package: mercurial
Version: 3.1.2-1
Severity: important
Tags: security upstream

CVE-2014-9390[0][1] is a security vulnerability that affects mercurial
repositories in a case-sensitive filesystem (eg. VFAT or HFS+).  It
allows for remote code execution of a specially crafted repository.
This is less severe for the average Debian installation as they are
usually set up with case-insensitive filesystems.

[0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9390
[1] https://security-tracker.debian.org/tracker/CVE-2014-9390

This affects both Wheezy and Jessie.

-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages mercurial depends on:
ii  libc6             2.19-13
ii  mercurial-common  3.1.2-1
ii  python            2.7.8-2
ii  ucf               3.0030

Versions of packages mercurial recommends:
ii  openssh-client  1:6.7p1-3

Versions of packages mercurial suggests:
pn  kdiff3 | kdiff3-qt | kompare | meld | tkcvs | mgdiff  <none>
pn  qct                                                   <none>

-- no debconf information

More information about the Python-apps-team mailing list