[Python-apps-team] Bug#901050: mercurial: New security fixes release (4.6.1)

Salvatore Bonaccorso carnil at debian.org
Fri Jun 8 13:31:50 BST 2018

Source: mercurial
Version: 4.6-2
Severity: grave
Tags: security upstream

For tracking purposes: mercurial 4.6.1 contains security fixes as
denoted in: 


> 1.1. Security Fixes
> Multiple issues found in mpatch.c with a fuzzer:
>     OVE-20180430-0001
>     OVE-20180430-0002
>     OVE-20180430-0004
> With the following fixes:
>     mpatch: be more careful about parsing binary patch data (SEC)
>     mpatch: protect against underflow in mpatch_apply (SEC)
>     mpatch: ensure fragment start isn't past the end of orig (SEC)
>     mpatch: fix UB in int overflows in gather() (SEC)
>     mpatch: fix UB integer overflows in discard() (SEC)
>     mpatch: avoid integer overflow in mpatch_decode (SEC)
>     mpatch: avoid integer overflow in combine() (SEC)
> No exploits are known at the time, however, it is highly recommended that all
> users upgrade.

No CVEs are yet assigned.


More information about the Python-apps-team mailing list