[Git][security-tracker-team/security-tracker][master] Add CVE-2018-1334{6,7,8}/mercurial

Fri Jul 6 05:13:50 BST 2018

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
31f8c22c by Salvatore Bonaccorso at 2018-07-06T06:12:44+02:00
Add CVE-2018-1334{6,7,8}/mercurial

- - - - -


2 changed files:

- data/CVE/list
- data/DLA/list


Changes:

=====================================
data/CVE/list
=====================================

--- a/data/CVE/list
+++ b/data/CVE/list
@@ -3236,23 +3236,20 @@ CVE-2018-12051 (Arbitrary File Upload and Remote Code Execution exist in PHP Scr
 	NOT-FOR-US: PHP Scripts Mall Schools Alert Management Script
 CVE-2018-12050
 	RESERVED
-CVE-2018-XXXX [OVE-20180430-0004: mpatch: ensure fragment start isn't past the end of orig]
+CVE-2018-13346 [OVE-20180430-0004: mpatch: ensure fragment start isn't past the end of orig]
 	- mercurial 4.6.1-1 (bug #901050)
-	[jessie] - mercurial 3.1.2-2+deb8u5
 	NOTE: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29
 	NOTE: https://www.mercurial-scm.org/repo/hg/rev/faa924469635
-CVE-2018-XXXX [OVE-20180430-0002: mpatch: protect against underflow in mpatch_apply]
+CVE-2018-13347 [OVE-20180430-0002: mpatch: protect against underflow in mpatch_apply]
 	- mercurial 4.6.1-1 (bug #901050)
-	[jessie] - mercurial 3.1.2-2+deb8u5
 	NOTE: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29
 	NOTE: https://www.mercurial-scm.org/repo/hg/rev/1acfc35d478c
 	NOTE: there are actually 6 more patches required to completely fix bug #901050,
 	NOTE: see https://www.mercurial-scm.org/repo/hg-committed/log?rev=modifies%28%22mercurial%2Fmpatch.c%22%29+and+4.5%3A%3A
 	NOTE: upstream proposes we use OVE-20180430-0002 to cover all undefined behavior
 	NOTE: cases which the 6 patches fix
-CVE-2018-XXXX [OVE-20180430-0001: mpatch: be more careful about parsing binary patch data]
+CVE-2018-13348 [OVE-20180430-0001: mpatch: be more careful about parsing binary patch data]
 	- mercurial 4.6.1-1 (bug #901050)
-	[jessie] - mercurial 3.1.2-2+deb8u5
 	NOTE: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29
 	NOTE: https://www.mercurial-scm.org/repo/hg/rev/90a274965de7
 CVE-2018-12049 (** DISPUTED ** A remote attacker can bypass the System Manager Mode on ...)


=====================================
data/DLA/list
=====================================
--- a/data/DLA/list
+++ b/data/DLA/list
@@ -1,5 +1,5 @@
 [05 Jul 2018] DLA-1414-1 mercurial - security update
-	{CVE-2017-9462 CVE-2017-17458 CVE-2018-1000132}
+	{CVE-2017-9462 CVE-2017-17458 CVE-2018-1000132 CVE-2018-13346 CVE-2018-13347 CVE-2018-13348}
 	[jessie] - mercurial 3.1.2-2+deb8u5
 [05 Jul 2018] DLA-1413-1 dokuwiki - security update
 	{CVE-2017-18123}



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/31f8c22c41cca46aa08ec8ca01974656bed084e1

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/31f8c22c41cca46aa08ec8ca01974656bed084e1
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20180706/f98e2921/attachment-0001.html>
