Mercurial 4.3 and 4.2.3 released
Augie Fackler
raf at durin42.com
Fri Aug 11 13:18:54 UTC 2017
> On Aug 11, 2017, at 05:10, Dr Rainer Woitok <rainer.woitok at gmail.com> wrote:
>
> Augie,
>
> On Thursday, 2017-08-10 14:11:52 -0400, you wrote:
>
>> ...
>>> CVE-2017-1000115:
>>>
>>> Mercurial's symlink auditing was incomplete prior to 4.3, and could be abused to write to files outside the repository.
>
> What precisely does that mean? Is it no longer possible to have a vers-
> ion controlled symbolic link somewhere in the working directory which
> points to some place outside the Mercurial repository? Some of my re-
> positories heavily depend on this :-(
>
> I searched the web for "CVE-2017-1000115", but found neither a detailed
> description of the problem nor of the solution.
>
> Anybody caring to shed some light on this?
You can still have a symlink that points outside the repo, that's fine. We just now adequately sanitize things and avoid accidental writes to outside the repository tree.
> Sincerely,
> Rainer
More information about the Mercurial
mailing list