UbuntuUpdates.org

Package "mercurial"

Name: mercurial

Description:

easy-to-use, scalable distributed version control system
Latest version: 4.5.3-1ubuntu2.2
Release: bionic (18.04)
Level: security
Repository: universe
Homepage: https://www.mercurial-scm.org/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "mercurial"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "mercurial" in Bionic

Repository Area Version
base universe 4.5.3-1ubuntu2
updates universe 4.5.3-1ubuntu2.2

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 4.5.3-1ubuntu2.2 2021-10-04 19:06:15 UTC

  mercurial (4.5.3-1ubuntu2.2) bionic-security; urgency=medium

  * SECURITY UPDATE: OOB reads
    - debian/patches/CVE-2018-17983.patch: fix OOB read of corrupted manifest
      entry in mercurial/cext/manifest.c.
    - CVE-2018-17983
  * SECURITY UPDATE: Write to arbitrary files outside a repository by using
    symlinks in subrepositories
    - debian/patches/CVE-2019-3902-pre.patch: subrepo: extend path auditing test
      to include more weird patterns (SEC)
    - debian/patches/CVE-2019-3902-1.patch: subrepo: prohibit variable
      expansion on creation of hg subrepo (SEC)
    - debian/patches/CVE-2019-3902-3.patch: subrepo: reject potentially unsafe
      subrepo paths (BC) (SEC)
    - CVE-2019-3902

 -- Leonidas Da Silva Barbosa <email address hidden> Fri, 01 Oct 2021 11:32:41 -0300
Source diff to previous version
CVE-2018-17983 cext/manifest.c in Mercurial before 4.7.2 has an out-of-bounds read during parsing of a malformed manifest entry.
CVE-2019-3902 A flaw was found in Mercurial before 4.9. It was possible to use symlinks and subrepositories to defeat Mercurial's path-checking logic and write fil

Version: 4.5.3-1ubuntu2.1 2018-11-27 18:07:14 UTC

  mercurial (4.5.3-1ubuntu2.1) bionic-security; urgency=medium

  * SECURITY UPDATE: Integer underflow and overflow.
    - debian/patches/CVE-2018-13347.patch: Protect against underflow.
    - debian/patches/CVE-2018-13347-extras.patch: Protect against overflow.
    - CVE-2018-13347
  * SECURITY UPDATE: Able to start fragment past of the end of original data.
    - debian/patches/CVE-2018-13346.patch: Ensure fragment start is not past
      then end of orig.
    - CVE-2018-13346
  * SECURITY UPDATE: Data mishandling in certain situations.
    - debian/patches/CVE-2018-13348.patch: Be more careful about parsing
      binary patch data.
    - CVE-2018-13348

 -- Eduardo Barretto <email address hidden> Mon, 26 Nov 2018 17:38:17 -0200
CVE-2018-13347 mpatch.c in Mercurial before 4.6.1 mishandles integer addition and subtraction, aka OVE-20180430-0002.
CVE-2018-13346 The mpatch_apply function in mpatch.c in Mercurial before 4.6.1 incorrectly proceeds in cases where the fragment start is past the end of the origina
CVE-2018-13348 The mpatch_decode function in mpatch.c in Mercurial before 4.6.1 mishandles certain situations where there should be at least 12 bytes remaining afte


About   -   Send Feedback to @ubuntu_updates