Versions mentioned in the description apply to the upstream
Remediation section below for
Debian:9 relevant versions.
Directory traversal vulnerability in patch.py in Mercurial 1.0.1 allows user-assisted attackers to modify arbitrary files via ".." (dot dot) sequences in a patch file.
mercurial to version 1.0.1-2 or higher.