[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Monotone-devel] [ANNOUNCE] Monotone 0.25.2 -- security fix release

From: Nathaniel Smith
Subject: [Monotone-devel] [ANNOUNCE] Monotone 0.25.2 -- security fix release
Date: Wed, 8 Mar 2006 21:39:58 -0800
User-agent: Mutt/1.5.11

Monotone 0.25.2 has been released, and is now available at the usual
Also as usual, binaries will become available as I receive them.


The only change in this release as compared to 0.25 is a security fix.
In monotone 0.25 and earlier, if a user created a file inside a
directory named "mt", and that file was checked out on a
case-insensitive filesystem, then the file would end up in monotone's
"MT" bookkeeping directory.  This could have a variety of annoying
affects, the most dangerous being the creation of a file
"MT/monotonerc"; any monotone command run inside of the working copy
reads this file, and it may contain arbitrary code written in the Lua
programming language.

The exposure created by this bug is similar to that taken on by a user
who habitually runs 'monotone pull; monotone update; make' without
reviewing changes -- in either case, other committers may cause them
to run arbitrary code on their own computer.  Review of patches,
however, should quickly discover such irregularities.

Bottom line

If you are using monotone on Windows or OS X, upgrading is

The following activities are NOT affected by this issue:
  -- running a public monotone server
  -- running monotone on a case-sensitive filesystem (i.e., most unix
Such users may upgrade or not; it makes little difference.


Some may be curious why this is 0.25.2, rather than 0.25.1 -- the
reason is that name "0.25.1" was used for a rebuild of the 0.25
windows installer, which was originally built in a way that made it
incompatible with WinNT 4.

-- Nathaniel

reply via email to

[Prev in Thread] Current Thread [Next in Thread]