Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#48821 - [mercurial] remote code execution in mercurial <= 3.7.2

Attached to Project: Arch Linux
Opened by Remi Gacogne (rgacogne) - Tuesday, 05 April 2016, 22:17 GMT
Last edited by Antonio Rojas (arojas) - Wednesday, 06 April 2016, 06:23 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Antonio Rojas (arojas)
Giovanni Scafora (giovanni)
Anatol Pomozov (anatolik)
Architecture All
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No



Mercurial 3.7.3 has been released[1], fixing several security issues allowing remote code execution:

* CVE-2016-3630 Mercurial: remote code execution in binary delta decoding

Mercurial prior to 3.7.3 contained two bounds-checking errors in its binary delta decoder that may be exploitable via clone, push, or pull.

* CVE-2016-3068 Mercurial: arbitrary code execution with Git subrepos

Mercurial prior to 3.7.3 allowed URLs for Git subrepos that could result in arbitrary code execution on clone. This is a further side-effect of Git CVE-2015-7545. Reported by Blake Burkhart.

* CVE-2016-3069 Mercurial: arbitrary code execution when converting Git repos

Mercurial prior to 3.7.3 allowed arbitrary code execution when converting Git repos with hostile names. This could affect automated conversion services. Reported by Blake Burkhart.

This task depends upon

Closed by  Antonio Rojas (arojas)
Wednesday, 06 April 2016, 06:23 GMT
Reason for closing:  Fixed