Bugzilla – Bug 973175
VUL-0: CVE-2016-3630: mercurial: remote code execution in binary delta decoding
Last modified: 2018-06-11 15:16:04 UTC
rh#1322264 Mercurial prior to 3.7.3 contained two bounds-checking errors in its binary delta decoder that may be exploitable via clone, push, or pull. External references: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.7.3_.282016-3-29.29 Upstream fixes: https://selenic.com/repo/hg-stable/rev/b6ed2505d6cf https://selenic.com/repo/hg-stable/rev/b9714d958e89 References: https://bugzilla.redhat.com/show_bug.cgi?id=1322264 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3630
bugbot adjusting priority
mercurial 3.7.3 was submitted to FACTORY. The backports have been done now, but totally untested: OBS home:tiwai:branches:OBS_Maintained:mercurial contains the fixes for openSUSE 13.2 and Leap 42.1 fixes. IBS home:tiwai:branches:OBS_Maintained:mercurial contains the fixes for SLE12 and SLE11-SP3. All above include the fixes for three bugs: CVE-2016-3630, bsc#973175 CVE-2016-3068, bsc#973177 CVE-2016-3069, bsc#973176
Do we have a bug reproducer? As already mentioned, the fixed packages are ready, but untested.
This is an autogenerated message for OBS integration: This bug (973175) was mentioned in https://build.opensuse.org/request/show/384126 42.1 / mercurial https://build.opensuse.org/request/show/384129 13.2 / mercurial
SUSE-SU-2016:1010-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 973175,973176,973177 CVE References: CVE-2016-3068,CVE-2016-3069,CVE-2016-3630 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): mercurial-2.8.2-6.1 SUSE Linux Enterprise Software Development Kit 12 (src): mercurial-2.8.2-6.1
SUSE-SU-2016:1011-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 973175,973176,973177 CVE References: CVE-2016-3068,CVE-2016-3069,CVE-2016-3630 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): mercurial-2.3.2-0.11.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): mercurial-2.3.2-0.11.1
openSUSE-SU-2016:1016-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 973175,973176,973177 CVE References: CVE-2016-3068,CVE-2016-3069,CVE-2016-3630 Sources used: openSUSE 13.2 (src): mercurial-3.1.2-7.1
releasing for leap 42.1
openSUSE-SU-2016:1073-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 973175,973176,973177 CVE References: CVE-2016-3068,CVE-2016-3069,CVE-2016-3630 Sources used: openSUSE Leap 42.1 (src): mercurial-3.5.1-3.1
.