[3.7] mercurial: Path-checking logic bypass via symlinks and subrepositories (CVE-2019-3902)
A flaw was found in Mercurial before 4.9. It was possible to use
symlinks and subrepositories
to defeat Mercurial’s path-checking logic and write files outside a
repository.
This issue affects Mercurial version from 1.5.3 up to 4.8.2.
Fixed In Version:
mercurial 4.9
References:
https://www.mercurial-scm.org/wiki/WhatsNew\#Mercurial\_4.9\_.282019-02-01.29
https://nvd.nist.gov/vuln/detail/CVE-2019-3902
Patches:
https://www.mercurial-scm.org/repo/hg/rev/6c10eba6b9cd
https://www.mercurial-scm.org/repo/hg/rev/31286c9282df
https://www.mercurial-scm.org/repo/hg/rev/83377b4b4ae0
(from redmine: issue id 10376, created on 2019-04-29)
- Relations:
- parent #10372
To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information