CVE-2008-2942 — Mercurial Directory traversal vulnerability

Description

Directory traversal vulnerability in patch.py in Mercurial 1.0.1 allows user-assisted attackers to modify arbitrary files via ".." (dot dot) sequences in a patch file.

How to fix CVE-2008-2942

To remediate CVE-2008-2942, upgrade the affected package to a fixed version below.

Debian/mercurial—upgrade to 1.0.1-2 or later
PyPI/mercurial—upgrade to 1.0.2 or later

Is CVE-2008-2942 being exploited?

Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 1.0.1-2
from 0, < 1.0.2

References (16)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2008-2942
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2008-2942
PATCHgithub.com/dscho/hg
WEBlists.opensuse.org/opensuse-security-announce/2008-07/msg00006.html
WEB