[Python-apps-team] Bug#901050: mercurial: New security fixes release (4.6.1)
Salvatore Bonaccorso
carnil at debian.org
Fri Jun 8 13:31:50 BST 2018
Source: mercurial
Version: 4.6-2
Severity: grave
Tags: security upstream
For tracking purposes: mercurial 4.6.1 contains security fixes as
denoted in:
https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29
> 1.1. Security Fixes
>
> Multiple issues found in mpatch.c with a fuzzer:
>
> OVE-20180430-0001
> OVE-20180430-0002
> OVE-20180430-0004
>
> With the following fixes:
>
> mpatch: be more careful about parsing binary patch data (SEC)
> mpatch: protect against underflow in mpatch_apply (SEC)
> mpatch: ensure fragment start isn't past the end of orig (SEC)
> mpatch: fix UB in int overflows in gather() (SEC)
> mpatch: fix UB integer overflows in discard() (SEC)
> mpatch: avoid integer overflow in mpatch_decode (SEC)
> mpatch: avoid integer overflow in combine() (SEC)
>
> No exploits are known at the time, however, it is highly recommended that all
> users upgrade.
No CVEs are yet assigned.
Regards,
Salvatore
More information about the Python-apps-team
mailing list