mercurial is vulnerable to arbitrary file write attacks. The vulnerability is possible by using symlinks and subrepositories to bypass the validation of path checking, allowing the writing of files outside of the repository.
CPE | Name | Operator | Version |
---|---|---|---|
mercurial | le | 4.9rc0 | |
mercurial:stretch | eq | 4.0-1+deb9u1 | |
mercurial:bionic | eq | 4.5.3-1ubuntu2 | |
mercurial:bionic | eq | 4.5.3-1ubuntu2.1 |
bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3902
lists.debian.org/debian-lts-announce/2019/04/msg00024.html
lists.debian.org/debian-lts-announce/2020/07/msg00032.html
usn.ubuntu.com/4086-1/
www.mercurial-scm.org/repo/hg/rev/6c10eba6b9cd
www.mercurial-scm.org/repo/hg/rev/83377b4b4ae0
www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.9
www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.9_.282019-02-01.29