Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
aports
aports
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 675
    • Issues 675
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 199
    • Merge Requests 199
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • alpine
  • aportsaports
  • Issues
  • #10376

Closed
Open
Opened Apr 29, 2019 by Alicha CH@alichaReporter

[3.7] mercurial: Path-checking logic bypass via symlinks and subrepositories (CVE-2019-3902)

A flaw was found in Mercurial before 4.9. It was possible to use symlinks and subrepositories
to defeat Mercurial’s path-checking logic and write files outside a repository.

This issue affects Mercurial version from 1.5.3 up to 4.8.2.

Fixed In Version:

mercurial 4.9

References:

https://www.mercurial-scm.org/wiki/WhatsNew\#Mercurial\_4.9\_.282019-02-01.29
https://nvd.nist.gov/vuln/detail/CVE-2019-3902

Patches:

https://www.mercurial-scm.org/repo/hg/rev/6c10eba6b9cd
https://www.mercurial-scm.org/repo/hg/rev/31286c9282df
https://www.mercurial-scm.org/repo/hg/rev/83377b4b4ae0

(from redmine: issue id 10376, created on 2019-04-29)

  • Relations:
    • parent #10372
To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information
Assignee
Assign to
3.7.4
Milestone
3.7.4
Assign milestone
Time tracking
None
Due date
None
Reference: alpine/aports#10376