[Python-apps-team] Bug#773640: CVE-2014-9390: Errors in handling case-sensitive directories allow for remote code execution on pull
vicho at debian.org
Sun Dec 21 12:09:57 UTC 2014
On Sun, Dec 21, 2014 at 12:38:02PM +0100, Javi Merino wrote:
> Package: mercurial
> Version: 3.1.2-1
> Severity: important
> Tags: security upstream
> CVE-2014-9390 is a security vulnerability that affects mercurial
> repositories in a case-sensitive filesystem (eg. VFAT or HFS+). It
> allows for remote code execution of a specially crafted repository.
> This is less severe for the average Debian installation as they are
> usually set up with case-insensitive filesystems.
>  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9390
>  https://security-tracker.debian.org/tracker/CVE-2014-9390
> This affects both Wheezy and Jessie.
In Ubuntu they've fixed it by applying the following patches:
I'm working on applying the same patches.
More information about the Python-apps-team