A flaw was found in Mercurial before 4.9. It was possible to use symlinks and subrepositories to defeat Mercurial's path-checking logic and write files outside a repository.
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
| Link | Tags |
|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3902 | issue tracking vendor advisory |
| https://lists.debian.org/debian-lts-announce/2019/04/msg00024.html | third party advisory mailing list |
| https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.9_.282019-02-01.29 | third party advisory |
| https://usn.ubuntu.com/4086-1/ | vendor advisory |
| https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html | mailing list |