Package "mercurial-common"
Name: |
mercurial-common
|
Description: |
easy-to-use, scalable distributed version control system (common files)
|
Latest version: |
4.5.3-1ubuntu2.2 |
Release: |
bionic (18.04) |
Level: |
security |
Repository: |
universe |
Head package: |
mercurial |
Homepage: |
https://www.mercurial-scm.org/ |
Links
Download "mercurial-common"
Other versions of "mercurial-common" in Bionic
Changelog
mercurial (4.5.3-1ubuntu2.2) bionic-security; urgency=medium
* SECURITY UPDATE: OOB reads
- debian/patches/CVE-2018-17983.patch: fix OOB read of corrupted manifest
entry in mercurial/cext/manifest.c.
- CVE-2018-17983
* SECURITY UPDATE: Write to arbitrary files outside a repository by using
symlinks in subrepositories
- debian/patches/CVE-2019-3902-pre.patch: subrepo: extend path auditing test
to include more weird patterns (SEC)
- debian/patches/CVE-2019-3902-1.patch: subrepo: prohibit variable
expansion on creation of hg subrepo (SEC)
- debian/patches/CVE-2019-3902-3.patch: subrepo: reject potentially unsafe
subrepo paths (BC) (SEC)
- CVE-2019-3902
-- Leonidas Da Silva Barbosa <email address hidden> Fri, 01 Oct 2021 11:32:41 -0300
|
Source diff to previous version |
CVE-2018-17983 |
cext/manifest.c in Mercurial before 4.7.2 has an out-of-bounds read during parsing of a malformed manifest entry. |
CVE-2019-3902 |
A flaw was found in Mercurial before 4.9. It was possible to use symlinks and subrepositories to defeat Mercurial's path-checking logic and write fil |
|
mercurial (4.5.3-1ubuntu2.1) bionic-security; urgency=medium
* SECURITY UPDATE: Integer underflow and overflow.
- debian/patches/CVE-2018-13347.patch: Protect against underflow.
- debian/patches/CVE-2018-13347-extras.patch: Protect against overflow.
- CVE-2018-13347
* SECURITY UPDATE: Able to start fragment past of the end of original data.
- debian/patches/CVE-2018-13346.patch: Ensure fragment start is not past
then end of orig.
- CVE-2018-13346
* SECURITY UPDATE: Data mishandling in certain situations.
- debian/patches/CVE-2018-13348.patch: Be more careful about parsing
binary patch data.
- CVE-2018-13348
-- Eduardo Barretto <email address hidden> Mon, 26 Nov 2018 17:38:17 -0200
|
CVE-2018-13347 |
mpatch.c in Mercurial before 4.6.1 mishandles integer addition and subtraction, aka OVE-20180430-0002. |
CVE-2018-13346 |
The mpatch_apply function in mpatch.c in Mercurial before 4.6.1 incorrectly proceeds in cases where the fragment start is past the end of the origina |
CVE-2018-13348 |
The mpatch_decode function in mpatch.c in Mercurial before 4.6.1 mishandles certain situations where there should be at least 12 bytes remaining afte |
|
About
-
Send Feedback to @ubuntu_updates