Updated mercurial packages fix security vulnerabilities
Publication date: 31 Aug 2018Modification date: 31 Aug 2018
Type: security
Affected Mageia releases : 5 , 6
CVE: CVE-2018-13346 , CVE-2018-13347 , CVE-2018-13348 , CVE-2018-1000132
Description
This update provides mercurial version 4.6.2 and fixes the following
security issues:
Fix the mpatch_apply function in mpatch.c that incorrectly proceeds in
cases where the fragment start is past the end of the original data
(CVE-2018-13346).
Fix mpatch.c that mishandles integer addition and subtraction
(CVE-2018-13347).
Fix the mpatch_decode function in mpatch.c that mishandles certain
situations where there should be at least 12 bytes remaining after
the current position in the patch data (CVE-2018-13348).
Remote attackers may bypass HTTP server permissions via batch wire
protocol commands(CVE-2018-1000132).
References
- https://bugs.mageia.org/show_bug.cgi?id=22895
- https://lists.opensuse.org/opensuse-updates/2018-04/msg00021.html
- https://lists.opensuse.org/opensuse-updates/2018-07/msg00057.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13346
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13347
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13348
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000132
SRPMS
5/core
- mercurial-4.6.2-1.mga5
6/core
- mercurial-4.6.2-1.mga6