Advisories ยป MGASA-2018-0355

Updated mercurial packages fix security vulnerabilities

Publication date: 31 Aug 2018
Type: security
Affected Mageia releases : 5 , 6
CVE: CVE-2018-13346 , CVE-2018-13347 , CVE-2018-13348 , CVE-2018-1000132


This update provides mercurial version 4.6.2 and fixes the following
security issues:

Fix the mpatch_apply function in mpatch.c that incorrectly proceeds in
cases where the fragment start is past the end of the original data

Fix mpatch.c that mishandles integer addition and subtraction

Fix the mpatch_decode function in mpatch.c that mishandles certain
situations where there should be at least 12 bytes remaining after
the current position in the patch data (CVE-2018-13348).

Remote attackers may bypass HTTP server permissions via batch wire
protocol commands(CVE-2018-1000132).