Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 658712 (CVE-2018-13346, CVE-2018-13347, CVE-2018-13348) - <dev-vcs/mercurial-4.6.1: multiple vulnerabilities
Summary: <dev-vcs/mercurial-4.6.1: multiple vulnerabilities
Alias: CVE-2018-13346, CVE-2018-13347, CVE-2018-13348
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa cve]
Depends on:
Reported: 2018-06-22 04:59 UTC by Florian Schuhmacher
Modified: 2019-04-17 09:09 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Florian Schuhmacher 2018-06-22 04:59:04 UTC
For tracking purposes: mercurial 4.6.1 contains security fixes as
denoted in:

1.1. Security Fixes

Multiple issues found in mpatch.c with a fuzzer:


With the following fixes:

    mpatch: be more careful about parsing binary patch data (SEC)
    mpatch: protect against underflow in mpatch_apply (SEC)
    mpatch: ensure fragment start isn't past the end of orig (SEC)
    mpatch: fix UB in int overflows in gather() (SEC)
    mpatch: fix UB integer overflows in discard() (SEC)
    mpatch: avoid integer overflow in mpatch_decode (SEC)
    mpatch: avoid integer overflow in combine() (SEC) 

No exploits are known at the time, however, it is highly recommended that all users upgrade. 

No CVEs are yet assigned.

Gentoo Security Scout
Florian Schuhmacher
Comment 1 Agostino Sarubbo gentoo-dev 2018-07-11 14:28:08 UTC
amd64 stable
Comment 2 Larry the Git Cow gentoo-dev 2018-07-11 21:22:07 UTC
The bug has been referenced in the following commit(s):

commit 092f0026101933f10427916cb9c73b90a814c699
Author:     Rolf Eike Beer <>
AuthorDate: 2018-07-11 17:18:54 +0000
Commit:     Sergei Trofimovich <>
CommitDate: 2018-07-11 21:21:53 +0000

    dev-vcs/mercurial: stable 4.6.2 for sparc
    Package-Manager: Portage-2.3.40, Repoman-2.3.9
    RepoMan-Options: --include-arches="sparc"

 dev-vcs/mercurial/mercurial-4.6.2.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2018-07-15 14:25:13 UTC
x86 stable
Comment 4 Tobias Klausmann (RETIRED) gentoo-dev 2018-07-20 12:13:09 UTC
Stable on alpha.
Comment 5 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-07-22 19:03:20 UTC
arm stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2018-09-01 23:43:49 UTC
ia64 stable
Comment 7 Matt Turner gentoo-dev 2018-09-17 21:25:55 UTC
ppc/ppc64 stable. all arches stable
Comment 8 Aaron Bauman (RETIRED) gentoo-dev 2018-11-24 22:57:35 UTC
Fixes are in 4.6.1.  Maintainer decided to stable 4.6.2. Summary adjusted.

@maintainer, HPPA is not a stable arch... if you would like to proceed with cleanup of 4.5.2.
Comment 9 Aaron Bauman (RETIRED) gentoo-dev 2019-03-10 04:10:56 UTC
please clean.
Comment 10 Yury German Gentoo Infrastructure gentoo-dev 2019-04-17 04:21:22 UTC
Maintainer(s), please drop the vulnerable version(s).
Comment 11 Larry the Git Cow gentoo-dev 2019-04-17 08:16:30 UTC
The bug has been referenced in the following commit(s):

commit a3a686e12d8c35676f4dec2250d66bc42ef70796
Author:     Lars Wendler <>
AuthorDate: 2019-04-17 08:12:17 +0000
Commit:     Lars Wendler <>
CommitDate: 2019-04-17 08:12:17 +0000

    dev-vcs/mercurial: Security cleanup
    Package-Manager: Portage-2.3.63, Repoman-2.3.12
    Signed-off-by: Lars Wendler <>

 dev-vcs/mercurial/Manifest               |   3 -
 dev-vcs/mercurial/mercurial-4.5.2.ebuild | 137 ----------------------------
 dev-vcs/mercurial/mercurial-4.7.1.ebuild | 136 ----------------------------
 dev-vcs/mercurial/mercurial-4.8.2.ebuild | 148 -------------------------------
 4 files changed, 424 deletions(-)