Summary: | <dev-vcs/mercurial-3.7.3: remote code execution (CVE-2016-{3068,3069,3630}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Dirkjan Ochtman (RETIRED) <djc> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | polynomial-c |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B2 [glsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Dirkjan Ochtman (RETIRED)
2016-03-29 18:45:52 UTC
3.7.3 is in the tree. Feel free to stabilize. Arches, please test and mark stable: =dev-vcs/mercurial-3.7.3 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" amd64 stable Stable for HPPA PPC64. x86 stable arm stable Stable on alpha. ppc stable sparc stable ia64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. CVE-2016-3630 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3630): The binary delta decoder in Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a (1) clone, (2) push, or (3) pull command, related to (a) a list sizing rounding error and (b) short records. CVE-2016-3069 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3069): Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted name when converting a Git repository. CVE-2016-3068 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3068): Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted git ext:: URL when cloning a subrepository. This issue was resolved and addressed in GLSA 201612-19 at https://security.gentoo.org/glsa/201612-19 by GLSA coordinator Aaron Bauman (b-man). |