CVE-2016-3630 Mercurial: remote code execution in binary delta decoding Mercurial prior to 3.7.3 contained two bounds-checking errors in its binary delta decoder that may be exploitable via clone, push, or pull. CVE-2016-3068 Mercurial: arbitrary code execution with Git subrepos Mercurial prior to 3.7.3 allowed URLs for Git subrepos that could result in arbitrary code execution on clone. This is a further side-effect of Git CVE-2015-7545. Reported by Blake Burkhart. CVE-2016-3069 Mercurial: arbitrary code execution when converting Git repos Mercurial prior to 3.7.3 allowed arbitrary code execution when converting Git repos with hostile names. This could affect automated conversion services. Reported by Blake Burkhart.
3.7.3 is in the tree. Feel free to stabilize.
Arches, please test and mark stable: =dev-vcs/mercurial-3.7.3 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
amd64 stable
Stable for HPPA PPC64.
x86 stable
arm stable
Stable on alpha.
ppc stable
sparc stable
ia64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
CVE-2016-3630 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3630): The binary delta decoder in Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a (1) clone, (2) push, or (3) pull command, related to (a) a list sizing rounding error and (b) short records. CVE-2016-3069 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3069): Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted name when converting a Git repository. CVE-2016-3068 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3068): Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted git ext:: URL when cloning a subrepository.
This issue was resolved and addressed in GLSA 201612-19 at https://security.gentoo.org/glsa/201612-19 by GLSA coordinator Aaron Bauman (b-man).