Monotone MT File Arbitrary Code Execution Vulnerability

Bugtraq ID:	17139
Class:	Design Error
CVE:
Remote:	Yes
Local:	No
Published:	Mar 17 2006 12:00AM
Updated:	Mar 20 2006 04:44PM
Credit:	This issue was disclosed by the vendor.
Vulnerable:	Monotone Monotone 0.25
Not Vulnerable:	Monotone Monotone 0.25.2

Monotone MT File Arbitrary Code Execution Vulnerability


Monotone is prone to an arbitrary code-execution vulnerability. This issue is due to a design error in the application.

An attacker can exploit this issue to have arbitrary Lua code executed in the context of the victim user running the affected application.

This issue affects Monotone only on case-insensitive filesystems such as Microsoft Windows and Apple Mac OS X.

Monotone MT File Arbitrary Code Execution Vulnerability

This issue can be exploited via a client application for Monotone.

Monotone MT File Arbitrary Code Execution Vulnerability

Solution:
The vendor has released version 0.25.2 to address this issue. Contact the vendor for further information on obtaining and applying the appropriate updates.


Monotone Monotone 0.25

• Monotone monotone-0.25.2.tar.gz
  http://venge.net/monotone/downloads/monotone-0.25.2.tar.gz

Monotone MT File Arbitrary Code Execution Vulnerability

References:

• [Monotone-devel] [ANNOUNCE] Monotone 0.25.2 -- security fix release (Monotone)
  
• Monotone Homepage (Monotone)