oss-sec mailing list archives
Re: CVE id request mercurial:Insufficient input validation
From: "Steven M. Christey" <coley () linus mitre org>
Date: Mon, 30 Jun 2008 15:21:15 -0400 (EDT)
Out of curiosity, what attack scenarios exist for this issue? If an attacker has control over the patch already, then code execution on the system already seems likely. Or is the impact mostly limited to "compile farms" and limited-access user accounts? - Steve ====================================================== Name: CVE-2008-2942 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2942 Reference: CONFIRM:http://www.selenic.com/hg/rev/87c704ac92d4 Reference: MLIST:[oss-security] 20080630 CVE id request mercurial:Insufficient input validation Reference: URL:http://www.openwall.com/lists/oss-security/2008/06/30/1 Directory traversal vulnerability in patch.py in Mercurial 1.0.1 allows user-assisted attackers to modify arbitrary files via ".." (dot dot) sequences in a patch file.
Current thread:
- CVE id request mercurial:Insufficient input validation Steffen Joeris (Jun 30)
- Re: CVE id request mercurial:Insufficient input validation Steven M. Christey (Jun 30)