FS#48821 : [mercurial] remote code execution in mercurial <= 3.7.2

FS#48821 - [mercurial] remote code execution in mercurial <= 3.7.2

Attached to Project: Arch Linux
Opened by Remi Gacogne (rgacogne) - Tuesday, 05 April 2016, 22:17 GMT
Last edited by Antonio Rojas (arojas) - Wednesday, 06 April 2016, 06:23 GMT

Task Type	Bug Report
Category	Security
Status	Closed
Assigned To	Antonio Rojas (arojas) Giovanni Scafora (giovanni) Anatol Pomozov (anatolik)
Architecture	All
Severity	Critical
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

Hello,

Mercurial 3.7.3 has been released[1], fixing several security issues allowing remote code execution:

* CVE-2016-3630 Mercurial: remote code execution in binary delta decoding

Mercurial prior to 3.7.3 contained two bounds-checking errors in its binary delta decoder that may be exploitable via clone, push, or pull.

* CVE-2016-3068 Mercurial: arbitrary code execution with Git subrepos

Mercurial prior to 3.7.3 allowed URLs for Git subrepos that could result in arbitrary code execution on clone. This is a further side-effect of Git CVE-2015-7545. Reported by Blake Burkhart.

* CVE-2016-3069 Mercurial: arbitrary code execution when converting Git repos

Mercurial prior to 3.7.3 allowed arbitrary code execution when converting Git repos with hostile names. This could affect automated conversion services. Reported by Blake Burkhart.

[1]: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.7.3_.282016-3-29.29

This task depends upon

Closed by Antonio Rojas (arojas)
Wednesday, 06 April 2016, 06:23 GMT
Reason for closing: Fixed

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#48821 - [mercurial] remote code execution in mercurial <= 3.7.2

Details

Loading...