Nathaniel Smith

**Name of the Vulnerable Software and Affected Versions** Monotone versions 0.25 and earlier **Description** The issue allows context-dependent attackers to execute arbitrary Lua programs as the user running the software. This occurs when a user creates a file in a directory called "mt" and checks it out on a case-insensitive file system, such as Windows or Mac OS X, causing the file to be placed into the "MT" bookkeeping directory. **Recommendations** For Monotone versions 0.25 and earlier, consider avoiding the creation of files in directories named "mt" on case-insensitive file systems until a fix is available. As a temporary workaround, restrict access to the "MT" bookkeeping directory to minimize the risk of exploitation.