[Python-apps-team] Bug#773640: CVE-2014-9390: Errors in handling case-sensitive directories allow for remote code execution on pull

Javi Merino vicho at debian.org
Sun Dec 21 12:09:57 UTC 2014

On Sun, Dec 21, 2014 at 12:38:02PM +0100, Javi Merino wrote:
> Package: mercurial
> Version: 3.1.2-1
> Severity: important
> Tags: security upstream
> CVE-2014-9390[0][1] is a security vulnerability that affects mercurial
> repositories in a case-sensitive filesystem (eg. VFAT or HFS+).  It
> allows for remote code execution of a specially crafted repository.
> This is less severe for the average Debian installation as they are
> usually set up with case-insensitive filesystems.
> [0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9390
> [1] https://security-tracker.debian.org/tracker/CVE-2014-9390
> This affects both Wheezy and Jessie.

In Ubuntu[0] they've fixed it by applying the following patches:

- http://selenic.com/repo/hg-stable/rev/035434b407be
- http://selenic.com/repo/hg-stable/rev/885bd7c5c7e3
- http://selenic.com/repo/hg-stable/rev/c02a05cc6f5e
- http://selenic.com/repo/hg-stable/rev/7a5bcd471f2e
- http://selenic.com/repo/hg-stable/rev/6dad422ecc5a

[0] https://bugs.launchpad.net/ubuntu/+source/git/+bug/1404035
[1] https://launchpadlibrarian.net/193058010/mercurial_3.1.2-1ubuntu1_source.changes

I'm working on applying the same patches.

More information about the Python-apps-team mailing list