[Python-apps-team] Bug#927674: CVE-2019-3902

Moritz Muehlenhoff jmm at debian.org
Sat Apr 20 23:32:13 BST 2019


Source: mercurial
Version: 4.8.2-1
Severity: grave
Tags: security

See https://www.mercurial-scm.org/wiki/WhatsNew from 4.9:

This was assigned CVE-2019-3902:
It was possible to use symlinks and subrepositories to defeat Mercurial's path-checking
logic and write files outside a repository. This has been fixed. Users on older versions
can either disable subrepositories with [subrepos] allowed=false in their configuration
or by ensuring any cloned repositories don't contain malicious symlinks.

This is fixed in sid, but buster still has 4.8.2.

Cheers,
        Moritz



More information about the Python-apps-team mailing list