[Python-apps-team] Bug#500781: Bug#500781: CVE-2008-4297: privilege escalation
Vincent Danjean
Vincent.Danjean at ens-lyon.org
Fri Oct 3 13:31:46 UTC 2008
Nico Golde wrote:
> Hi Steffen,
> * Steffen Joeris <steffen.joeris at skolelinux.de> [2008-10-01 15:59]:
>> Hi,
>> the following CVE (Common Vulnerabilities & Exposures) id was
>> published for mercurial.
>>
>> CVE-2008-4297[0]:
>> | Mercurial before 1.0.2 does not enforce the allowpull permission
>> | setting for a pull operation from hgweb, which allows remote attackers
>> | to read arbitrary files from a repository via an "hg pull" request.
>>
>> I am not sure about the severity of this issue, could you please investigate it?
>
> I'd say grave would be appropriate as the repository could
> contain sensitive information that should not be pulled. The
> only thing with that is that hgweb itself is not shipped
> within the Debian package but I guess a lot of people are
> using the source package to extract the cgi script anyway.
hgweb is not setup by default (because it needs manual editions)
But hgweb.cgi, hgwebdir.cgi, and hgwebdir.fcgi are installed in
/usr/share/doc/mercurial/examples/
Regards,
Vincent
> Cheers
> Nico
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Python-apps-team mailing list
> Python-apps-team at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/python-apps-team
--
Vincent Danjean GPG key ID 0x9D025E87 vdanjean at debian.org
GPG key fingerprint: FC95 08A6 854D DB48 4B9A 8A94 0BF7 7867 9D02 5E87
Unofficial pacakges: http://www-id.imag.fr/~danjean/deb.html#package
APT repo: deb http://perso.debian.org/~vdanjean/debian unstable main
More information about the Python-apps-team
mailing list