Multiple Mercurial CVEs have been announced

Bug #1759366 reported by Simon Quigley on 2018-03-27
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mercurial (Ubuntu)
High
Unassigned
Trusty
High
Simon Quigley
Xenial
High
Simon Quigley

Bug Description

There are multiple CVEs in Mercurial that should be fixed through a security update. Here's the releases that I believe need patching and the releases which I believe are affected:

 * CVE-2016-3068: Mercurial before 3.7.3 allows remote attackers to execute arbitrary code
via a crafted git ext:: URL when cloning a subrepository.
   - Trusty
 * CVE-2016-3069: Mercurial before 3.7.3 allows remote attackers to execute arbitrary code
via a crafted name when converting a Git repository.
   - Trusty
 * CVE-2016-3105: The convert extension in Mercurial before 3.8 might allow context-dependent
attackers to execute arbitrary code via a crafted git repository name.
   - Trusty
   - Xenial
 * CVE-2016-3630: The binary delta decoder in Mercurial before 3.7.3 allows remote attackers
to execute arbitrary code via a (1) clone, (2) push, or (3) pull command,
related to (a) a list sizing rounding error and (b) short records.
   - Trusty
 * CVE-2017-17458: In Mercurial before 4.4.1, it is possible that a specially malformed
repository can cause Git subrepositories to run arbitrary code in the form
of a .git/hooks/post-update script checked into the repository. Typical use
of Mercurial prevents construction of such repositories, but they can be
created programmatically.
   - Trusty
   - Xenial
   - Artful
 * CVE-2018-1000132: Mercurial version 4.5 and earlier contains a Incorrect Access Control
(CWE-285) vulnerability in Protocol server that can result in Unauthorized
data access. This attack appear to be exploitable via network connectivity.
This vulnerability appears to have been fixed in 4.5.1.
   - Trusty
   - Xenial
   - Artful

Simon Quigley (tsimonq2) on 2018-03-27
Changed in mercurial (Ubuntu):
importance: Undecided → High
Changed in mercurial (Ubuntu Trusty):
importance: Undecided → Critical
importance: Critical → High
Changed in mercurial (Ubuntu Xenial):
importance: Undecided → High
Changed in mercurial (Ubuntu Artful):
importance: Undecided → High
Changed in mercurial (Ubuntu Trusty):
assignee: nobody → Simon Quigley (tsimonq2)
Changed in mercurial (Ubuntu Xenial):
assignee: nobody → Simon Quigley (tsimonq2)
Changed in mercurial (Ubuntu Artful):
assignee: nobody → Simon Quigley (tsimonq2)
Changed in mercurial (Ubuntu Trusty):
status: New → Won't Fix
Changed in mercurial (Ubuntu Xenial):
status: New → Confirmed
Changed in mercurial (Ubuntu Artful):
status: New → Confirmed
Changed in mercurial (Ubuntu Trusty):
status: Won't Fix → Confirmed
Changed in mercurial (Ubuntu):
status: New → Fix Released
summary: - Multiple mercurial CVEs have been announced
+ Multiple Mercurial CVEs have been announced
information type: Public → Public Security
Simon Quigley (tsimonq2) on 2018-06-19
tags: added: community-security
Simon Quigley (tsimonq2) on 2018-07-19
no longer affects: mercurial (Ubuntu Artful)
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers