Bug 1100353 - (CVE-2018-13348) VUL-0: CVE-2018-13348: mercurial: The mpatch_decode function in mpatch.c in Mercurial before 4.6.1 mishandlescertain situations where there should be at least 12 bytes remaining after thecurrent position in the patch data, but actually ar
(CVE-2018-13348)
VUL-0: CVE-2018-13348: mercurial: The mpatch_decode function in mpatch.c in M...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/209663/
CVSSv3:SUSE:CVE-2018-13348:5.3:(AV:L/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-07-06 06:49 UTC by Marcus Meissner
Modified: 2018-12-17 23:54 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2018-07-06 06:49:28 UTC
CVE-2018-13348

The mpatch_decode function in mpatch.c in Mercurial before 4.6.1 mishandles
certain situations where there should be at least 12 bytes remaining after the
current position in the patch data, but actually are not, aka OVE-20180430-0001.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-13348
https://www.mercurial-scm.org/repo/hg/rev/90a274965de7
Comment 1 Takashi Iwai 2018-07-06 11:51:41 UTC
TW has already a newer package.
The fix submitted to SLE15, Leap 42.3, SLE12 and SLE11-SP3.

Back to security team.
Comment 3 Swamp Workflow Management 2018-07-06 12:30:06 UTC
This is an autogenerated message for OBS integration:
This bug (1100353) was mentioned in
https://build.opensuse.org/request/show/621322 42.3 / mercurial
Comment 4 Swamp Workflow Management 2018-07-19 13:11:06 UTC
SUSE-SU-2018:1990-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1100353,1100354,1100355
CVE References: CVE-2018-13346,CVE-2018-13347,CVE-2018-13348
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    mercurial-2.8.2-15.13.1
Comment 5 Swamp Workflow Management 2018-07-19 13:15:28 UTC
SUSE-SU-2018:1996-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1100353,1100354,1100355
CVE References: CVE-2018-13346,CVE-2018-13347,CVE-2018-13348
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    mercurial-2.3.2-0.18.9.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    mercurial-2.3.2-0.18.9.1
Comment 6 Swamp Workflow Management 2018-07-19 13:16:50 UTC
SUSE-SU-2018:1998-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1100353,1100354,1100355
CVE References: CVE-2018-13346,CVE-2018-13347,CVE-2018-13348
Sources used:
SUSE Linux Enterprise Module for Development Tools 15 (src):    mercurial-4.5.2-3.3.1
Comment 7 Swamp Workflow Management 2018-07-20 01:15:18 UTC
openSUSE-SU-2018:2023-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1100353,1100354,1100355
CVE References: CVE-2018-13346,CVE-2018-13347,CVE-2018-13348
Sources used:
openSUSE Leap 42.3 (src):    mercurial-4.2.3-15.1
Comment 8 Swamp Workflow Management 2018-07-28 14:05:05 UTC
openSUSE-SU-2018:2132-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1100353,1100354,1100355
CVE References: CVE-2018-13346,CVE-2018-13347,CVE-2018-13348
Sources used:
openSUSE Leap 15.0 (src):    mercurial-4.5.2-lp150.2.3.1
Comment 9 Marcus Meissner 2018-08-01 06:53:47 UTC
released