Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 578546 (CVE-2016-3068, CVE-2016-3069, CVE-2016-3630) - <dev-vcs/mercurial-3.7.3: remote code execution (CVE-2016-{3068,3069,3630})
Summary: <dev-vcs/mercurial-3.7.3: remote code execution (CVE-2016-{3068,3069,3630})
Alias: CVE-2016-3068, CVE-2016-3069, CVE-2016-3630
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa cve]
Depends on:
Reported: 2016-03-29 18:45 UTC by Dirkjan Ochtman (RETIRED)
Modified: 2016-12-07 10:36 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Dirkjan Ochtman (RETIRED) gentoo-dev 2016-03-29 18:45:52 UTC
CVE-2016-3630 Mercurial: remote code execution in binary delta decoding

    Mercurial prior to 3.7.3 contained two bounds-checking errors in its binary delta decoder that may be exploitable via clone, push, or pull. 

CVE-2016-3068 Mercurial: arbitrary code execution with Git subrepos

    Mercurial prior to 3.7.3 allowed URLs for Git subrepos that could result in arbitrary code execution on clone. This is a further side-effect of Git CVE-2015-7545. Reported by Blake Burkhart. 

CVE-2016-3069 Mercurial: arbitrary code execution when converting Git repos

    Mercurial prior to 3.7.3 allowed arbitrary code execution when converting Git repos with hostile names. This could affect automated conversion services. Reported by Blake Burkhart.
Comment 1 Dirkjan Ochtman (RETIRED) gentoo-dev 2016-03-29 18:52:24 UTC
3.7.3 is in the tree. Feel free to stabilize.
Comment 2 Agostino Sarubbo gentoo-dev 2016-03-30 12:40:46 UTC
Arches, please test and mark stable:                                                                                                                                                                                                                                           
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2016-04-02 14:19:40 UTC
amd64 stable
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2016-04-04 02:45:58 UTC
Stable for HPPA PPC64.
Comment 5 Agostino Sarubbo gentoo-dev 2016-04-11 10:40:15 UTC
x86 stable
Comment 6 Markus Meier gentoo-dev 2016-04-19 15:37:02 UTC
arm stable
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2016-05-20 14:02:21 UTC
Stable on alpha.
Comment 8 Agostino Sarubbo gentoo-dev 2016-07-08 07:56:11 UTC
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-07-08 10:04:52 UTC
sparc stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-07-08 12:04:24 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2016-11-01 09:55:25 UTC
CVE-2016-3630 (
  The binary delta decoder in Mercurial before 3.7.3 allows remote attackers
  to execute arbitrary code via a (1) clone, (2) push, or (3) pull command,
  related to (a) a list sizing rounding error and (b) short records.

CVE-2016-3069 (
  Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via
  a crafted name when converting a Git repository.

CVE-2016-3068 (
  Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via
  a crafted git ext:: URL when cloning a subrepository.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2016-12-07 10:36:43 UTC
This issue was resolved and addressed in
 GLSA 201612-19 at
by GLSA coordinator Aaron Bauman (b-man).