[3.2] mercurial: Several vulnerabilities (CVE-2016-3630, CVE-2016-3068, CVE-2016-3069)
CVE-2016-3630: remote code execution in binary delta decoding
Mercurial prior to 3.7.3 contained two bounds-checking errors in its binary delta decoder that may be exploitable via clone, push, or pull.
Fixes:
https://selenic.com/repo/hg-stable/rev/b6ed2505d6cf
https://selenic.com/repo/hg-stable/rev/b9714d958e89
CVE-2016-3068: arbitrary code execution with Git subrepos
Mercurial prior to 3.7.3 allowed URLs for Git subrepos that could result
in arbitrary code execution on clone.
This is a further side-effect of Git CVE-2015-7545.
Fix:
https://selenic.com/repo/hg-stable/rev/34d43cb85de8
CVE-2016-3069: arbitrary code execution when converting Git repos
Mercurial prior to 3.7.3 allowed arbitrary code execution when
converting Git repos with hostile names.
This could affect automated conversion services.
Fixes:
https://selenic.com/repo/hg-stable/rev/197eed39e3d5
https://selenic.com/repo/hg-stable/rev/cdda7b96afff
https://selenic.com/repo/hg-stable/rev/b732e7f2aba4
https://selenic.com/repo/hg-stable/rev/80cac1de6aea
https://selenic.com/repo/hg-stable/rev/ae279d4a19e9
References:
https://www.mercurial-scm.org/wiki/WhatsNew\#Mercurial\_3.7.3\_.282016-3-29.29
(from redmine: issue id 5393, created on 2016-04-12, closed on 2016-04-25)
- Relations:
- parent #5391 (closed)
- Changesets:
- Revision 43622bb2 on 2016-04-19T13:51:54Z:
main/mercurial: security fixes (CVE-2016-3630, CVE-2016-3068). Fixes #5393