Debian Bug report logs -
#901050
mercurial: CVE-2018-13346 CVE-2018-13347 CVE-2018-13348
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 8 Jun 2018 12:33:02 UTC
Severity: grave
Tags: security, upstream
Found in versions mercurial/3.1.2-1, mercurial/4.6-2
Fixed in version mercurial/4.6.1-1
Done: Julien Cristau <jcristau@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>:
Bug#901050; Package src:mercurial.
(Fri, 08 Jun 2018 12:33:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>.
(Fri, 08 Jun 2018 12:33:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: mercurial
Version: 4.6-2
Severity: grave
Tags: security upstream
For tracking purposes: mercurial 4.6.1 contains security fixes as
denoted in:
https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29
> 1.1. Security Fixes
>
> Multiple issues found in mpatch.c with a fuzzer:
>
> OVE-20180430-0001
> OVE-20180430-0002
> OVE-20180430-0004
>
> With the following fixes:
>
> mpatch: be more careful about parsing binary patch data (SEC)
> mpatch: protect against underflow in mpatch_apply (SEC)
> mpatch: ensure fragment start isn't past the end of orig (SEC)
> mpatch: fix UB in int overflows in gather() (SEC)
> mpatch: fix UB integer overflows in discard() (SEC)
> mpatch: avoid integer overflow in mpatch_decode (SEC)
> mpatch: avoid integer overflow in combine() (SEC)
>
> No exploits are known at the time, however, it is highly recommended that all
> users upgrade.
No CVEs are yet assigned.
Regards,
Salvatore
Reply sent
to Julien Cristau <jcristau@debian.org>:
You have taken responsibility.
(Fri, 08 Jun 2018 13:51:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 08 Jun 2018 13:51:06 GMT) (full text, mbox, link).
Message #10 received at 901050-close@bugs.debian.org (full text, mbox, reply):
Source: mercurial
Source-Version: 4.6.1-1
We believe that the bug you reported is fixed in the latest version of
mercurial, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 901050@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Julien Cristau <jcristau@debian.org> (supplier of updated mercurial package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 08 Jun 2018 13:56:22 +0200
Source: mercurial
Binary: mercurial-common mercurial
Architecture: source
Version: 4.6.1-1
Distribution: unstable
Urgency: medium
Maintainer: Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>
Changed-By: Julien Cristau <jcristau@debian.org>
Description:
mercurial - easy-to-use, scalable distributed version control system
mercurial-common - easy-to-use, scalable distributed version control system (common
Closes: 901050
Changes:
mercurial (4.6.1-1) unstable; urgency=medium
.
* New upstream bugfix release
+ fix security issues in mpatch (closes: #901050)
+ proposed_upstream__fix_xdiff_32bit.patch: drop, applied upstream
Checksums-Sha1:
d067c06dc2d8a1bd3efbc7a9d47257c6ccde42d2 2625 mercurial_4.6.1-1.dsc
df2bb1487e6a64c7321a93767baf43c6ca1e9b5f 6407380 mercurial_4.6.1.orig.tar.gz
13dc3771fd6aeda5c0cd81ddf4a321cb5e5d47f4 833 mercurial_4.6.1.orig.tar.gz.asc
9053b2b9d4a3e49b67ffb3b2c09687dbde7a576f 61556 mercurial_4.6.1-1.debian.tar.xz
Checksums-Sha256:
4cd67a829c0a022c5a95a34c5ee789bf24dc135d65af9a65b95f4a61e573a05e 2625 mercurial_4.6.1-1.dsc
89fa8ecbc8aa6e48e98f9803a1683ba91367124295dba2407b28c34ca621108d 6407380 mercurial_4.6.1.orig.tar.gz
a7c61e69edce0c63660a7fe2fec69c981b24c7684495403585de87794a62188b 833 mercurial_4.6.1.orig.tar.gz.asc
428206fe5ec52ebcddc74ef2fe229d1279e3c3ee5a5ed801cb20a6d36b30c8f3 61556 mercurial_4.6.1-1.debian.tar.xz
Files:
782df6da7496c85e9f3a4a6cf85a57d9 2625 vcs optional mercurial_4.6.1-1.dsc
f9b2e4a3b5901ef744fa3abe4196e97e 6407380 vcs optional mercurial_4.6.1.orig.tar.gz
44d9852d91804f605a5a84eeba5f4583 833 vcs optional mercurial_4.6.1.orig.tar.gz.asc
9546269563b0fc20dc3b86f2790887ea 61556 vcs optional mercurial_4.6.1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEVXgdqzTmGgnvuIvhnbAjVVb4z60FAlsagxoACgkQnbAjVVb4
z60PZA/+LxRjfk4l6bEbzJ9qLcteZ2dAOhM8LpiSDMEZJrHKffmRmrUwyK//1QXF
UV0ReAO/913KlRK2nMSYLf8TUqMC/IO3Hset0X4uXhnY1tfTYaG0d7puOD7hMzV4
zrqWFkjRuLWXoBQEiiZzPqOegypfEQaQ9oZOcthbUx8+O+espmcsgCLQpdQIPYgG
j+RDXLFX8TaOmgfK9umwEh+kUbw6Z+USznU+vXgwC5i8bAm7bpNFml5dll6NizMl
N8ic5Wq4WuJeU6erctodxyAu8VRlf0/x1btlArWUyuwHA4t5/31CgvkKx2KO5zef
d6GzFxaW/0ma023WjbtedhRz2osEehfnU/cbekJu29twGuBlszSk5LuBTZodeZZk
uYNURGH6cxGgazA1qNX5pSQYjQ6vpefrFVTddR12WyctvzaKWqw5maABT8XsRE86
FGr/vezfsLsQVplnhwaKgy24VhFQWE4EPDIlTtsE7GF7ZXeBAe8NGj22JAC4ZSuK
Z/yvrty/+OSzXMB8kkJect0W3cnIHigNq03HIPg/DjVdlwTfqugFOyBEXWwTqfD4
LiYRBYbTAktZF6CeNn9xJ20u+hEpNCLTyRO2pUMhrkvA5r4Pwsjw4J9E18X2E95c
S5xQHytcxugaeGTdZ9l8faP3RUTDma+eoLM8+tT193gGUkRqUwU=
=6jhA
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>:
Bug#901050; Package src:mercurial.
(Fri, 06 Jul 2018 04:24:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>.
(Fri, 06 Jul 2018 04:24:03 GMT) (full text, mbox, link).
Message #15 received at 901050@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 mercurial: CVE-2018-13346 CVE-2018-13347 CVE-2018-13348
Control: found -1 3.1.2-1
Hi,
On Fri, Jun 08, 2018 at 02:31:50PM +0200, Salvatore Bonaccorso wrote:
> Source: mercurial
> Version: 4.6-2
> Severity: grave
> Tags: security upstream
>
> For tracking purposes: mercurial 4.6.1 contains security fixes as
> denoted in:
>
> https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29
>
> > 1.1. Security Fixes
> >
> > Multiple issues found in mpatch.c with a fuzzer:
> >
> > OVE-20180430-0001
> > OVE-20180430-0002
> > OVE-20180430-0004
> >
> > With the following fixes:
> >
> > mpatch: be more careful about parsing binary patch data (SEC)
> > mpatch: protect against underflow in mpatch_apply (SEC)
> > mpatch: ensure fragment start isn't past the end of orig (SEC)
> > mpatch: fix UB in int overflows in gather() (SEC)
> > mpatch: fix UB integer overflows in discard() (SEC)
> > mpatch: avoid integer overflow in mpatch_decode (SEC)
> > mpatch: avoid integer overflow in combine() (SEC)
> >
> > No exploits are known at the time, however, it is highly recommended that all
> > users upgrade.
>
> No CVEs are yet assigned.
CVEs were now assigned (CVE-2018-13346, CVE-2018-13347 and
CVE-2018-13348).
Note that CVE-2018-13347 this covers not only a single patch. See
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13347
references for details.
Regards,
Salvatore
Changed Bug title to 'mercurial: CVE-2018-13346 CVE-2018-13347 CVE-2018-13348' from 'mercurial: New security fixes release (4.6.1)'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 901050-submit@bugs.debian.org.
(Fri, 06 Jul 2018 04:24:03 GMT) (full text, mbox, link).
Marked as found in versions mercurial/3.1.2-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 901050-submit@bugs.debian.org.
(Fri, 06 Jul 2018 04:24:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:48:40 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon