[Git][security-tracker-team/security-tracker][master] Add CVE-2018-1334{6,7,8}/mercurial

Thu, 05 Jul 2018 21:14:17 -0700 

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
31f8c22c by Salvatore Bonaccorso at 2018-07-06T06:12:44+02:00
Add CVE-2018-1334{6,7,8}/mercurial

- - - - -


2 changed files:

- data/CVE/list
- data/DLA/list


Changes:

=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -3236,23 +3236,20 @@ CVE-2018-12051 (Arbitrary File Upload and Remote Code 
Execution exist in PHP Scr
        NOT-FOR-US: PHP Scripts Mall Schools Alert Management Script
 CVE-2018-12050
        RESERVED
-CVE-2018-XXXX [OVE-20180430-0004: mpatch: ensure fragment start isn't past the 
end of orig]
+CVE-2018-13346 [OVE-20180430-0004: mpatch: ensure fragment start isn't past 
the end of orig]
        - mercurial 4.6.1-1 (bug #901050)
-       [jessie] - mercurial 3.1.2-2+deb8u5
        NOTE: 
https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29
        NOTE: https://www.mercurial-scm.org/repo/hg/rev/faa924469635
-CVE-2018-XXXX [OVE-20180430-0002: mpatch: protect against underflow in 
mpatch_apply]
+CVE-2018-13347 [OVE-20180430-0002: mpatch: protect against underflow in 
mpatch_apply]
        - mercurial 4.6.1-1 (bug #901050)
-       [jessie] - mercurial 3.1.2-2+deb8u5
        NOTE: 
https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29
        NOTE: https://www.mercurial-scm.org/repo/hg/rev/1acfc35d478c
        NOTE: there are actually 6 more patches required to completely fix bug 
#901050,
        NOTE: see 
https://www.mercurial-scm.org/repo/hg-committed/log?rev=modifies%28%22mercurial%2Fmpatch.c%22%29+and+4.5%3A%3A
        NOTE: upstream proposes we use OVE-20180430-0002 to cover all undefined 
behavior
        NOTE: cases which the 6 patches fix
-CVE-2018-XXXX [OVE-20180430-0001: mpatch: be more careful about parsing binary 
patch data]
+CVE-2018-13348 [OVE-20180430-0001: mpatch: be more careful about parsing 
binary patch data]
        - mercurial 4.6.1-1 (bug #901050)
-       [jessie] - mercurial 3.1.2-2+deb8u5
        NOTE: 
https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29
        NOTE: https://www.mercurial-scm.org/repo/hg/rev/90a274965de7
 CVE-2018-12049 (** DISPUTED ** A remote attacker can bypass the System Manager 
Mode on ...)


=====================================
data/DLA/list
=====================================
--- a/data/DLA/list
+++ b/data/DLA/list
@@ -1,5 +1,5 @@
 [05 Jul 2018] DLA-1414-1 mercurial - security update
-       {CVE-2017-9462 CVE-2017-17458 CVE-2018-1000132}
+       {CVE-2017-9462 CVE-2017-17458 CVE-2018-1000132 CVE-2018-13346 
CVE-2018-13347 CVE-2018-13348}
        [jessie] - mercurial 3.1.2-2+deb8u5
 [05 Jul 2018] DLA-1413-1 dokuwiki - security update
        {CVE-2017-18123}



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/31f8c22c41cca46aa08ec8ca01974656bed084e1

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/31f8c22c41cca46aa08ec8ca01974656bed084e1
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to