group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1759366] [NEW] Multiple Mercurial CVEs have been announced

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Simon Quigley <tsimonq2@xxxxxxxxxx>
Date: Tue, 27 Mar 2018 19:37:16 -0000
Reply-to: Bug 1759366 <1759366@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
*** This bug is a security vulnerability ***

Public security bug reported:

There are multiple CVEs in Mercurial that should be fixed through a
security update. Here's the releases that I believe need patching and
the releases which I believe are affected:

 * CVE-2016-3068: Mercurial before 3.7.3 allows remote attackers to execute arbitrary code
via a crafted git ext:: URL when cloning a subrepository.
   - Trusty
 * CVE-2016-3069: Mercurial before 3.7.3 allows remote attackers to execute arbitrary code
via a crafted name when converting a Git repository.
   - Trusty
 * CVE-2016-3105: The convert extension in Mercurial before 3.8 might allow context-dependent
attackers to execute arbitrary code via a crafted git repository name.
   - Trusty
   - Xenial
 * CVE-2016-3630: The binary delta decoder in Mercurial before 3.7.3 allows remote attackers
to execute arbitrary code via a (1) clone, (2) push, or (3) pull command,
related to (a) a list sizing rounding error and (b) short records.
   - Trusty
 * CVE-2017-17458: In Mercurial before 4.4.1, it is possible that a specially malformed
repository can cause Git subrepositories to run arbitrary code in the form
of a .git/hooks/post-update script checked into the repository. Typical use
of Mercurial prevents construction of such repositories, but they can be
created programmatically.
   - Trusty
   - Xenial
   - Artful
 * CVE-2018-1000132: Mercurial version 4.5 and earlier contains a Incorrect Access Control
(CWE-285) vulnerability in Protocol server that can result in Unauthorized
data access. This attack appear to be exploitable via network connectivity.
This vulnerability appears to have been fixed in 4.5.1.
   - Trusty
   - Xenial
   - Artful

** Affects: mercurial (Ubuntu)
     Importance: High
         Status: Fix Released

** Affects: mercurial (Ubuntu Trusty)
     Importance: High
     Assignee: Simon Quigley (tsimonq2)
         Status: Confirmed

** Affects: mercurial (Ubuntu Xenial)
     Importance: High
     Assignee: Simon Quigley (tsimonq2)
         Status: Confirmed

** Affects: mercurial (Ubuntu Artful)
     Importance: High
     Assignee: Simon Quigley (tsimonq2)
         Status: Confirmed

** Also affects: mercurial (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Also affects: mercurial (Ubuntu Artful)
   Importance: Undecided
       Status: New

** Also affects: mercurial (Ubuntu Trusty)
   Importance: Undecided
       Status: New

** Changed in: mercurial (Ubuntu)
   Importance: Undecided => High

** Changed in: mercurial (Ubuntu Trusty)
   Importance: Undecided => Critical

** Changed in: mercurial (Ubuntu Trusty)
   Importance: Critical => High

** Changed in: mercurial (Ubuntu Xenial)
   Importance: Undecided => High

** Changed in: mercurial (Ubuntu Artful)
   Importance: Undecided => High

** Changed in: mercurial (Ubuntu Trusty)
     Assignee: (unassigned) => Simon Quigley (tsimonq2)

** Changed in: mercurial (Ubuntu Xenial)
     Assignee: (unassigned) => Simon Quigley (tsimonq2)

** Changed in: mercurial (Ubuntu Artful)
     Assignee: (unassigned) => Simon Quigley (tsimonq2)

** Changed in: mercurial (Ubuntu Trusty)
       Status: New => Won't Fix

** Changed in: mercurial (Ubuntu Xenial)
       Status: New => Confirmed

** Changed in: mercurial (Ubuntu Artful)
       Status: New => Confirmed

** Changed in: mercurial (Ubuntu Trusty)
       Status: Won't Fix => Confirmed

** Changed in: mercurial (Ubuntu)
       Status: New => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3068

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3069

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3105

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3630

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-17458

** CVE added: https://cve.mitre.org/cgi-
bin/cvename.cgi?name=2018-1000132

** Summary changed:

- Multiple mercurial CVEs have been announced
+ Multiple Mercurial CVEs have been announced

** Information type changed from Public to Public Security

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1759366

Title:
  Multiple Mercurial CVEs have been announced

Status in mercurial package in Ubuntu:
  Fix Released
Status in mercurial source package in Trusty:
  Confirmed
Status in mercurial source package in Xenial:
  Confirmed
Status in mercurial source package in Artful:
  Confirmed

Bug description:
  There are multiple CVEs in Mercurial that should be fixed through a
  security update. Here's the releases that I believe need patching and
  the releases which I believe are affected:

   * CVE-2016-3068: Mercurial before 3.7.3 allows remote attackers to execute arbitrary code
  via a crafted git ext:: URL when cloning a subrepository.
     - Trusty
   * CVE-2016-3069: Mercurial before 3.7.3 allows remote attackers to execute arbitrary code
  via a crafted name when converting a Git repository.
     - Trusty
   * CVE-2016-3105: The convert extension in Mercurial before 3.8 might allow context-dependent
  attackers to execute arbitrary code via a crafted git repository name.
     - Trusty
     - Xenial
   * CVE-2016-3630: The binary delta decoder in Mercurial before 3.7.3 allows remote attackers
  to execute arbitrary code via a (1) clone, (2) push, or (3) pull command,
  related to (a) a list sizing rounding error and (b) short records.
     - Trusty
   * CVE-2017-17458: In Mercurial before 4.4.1, it is possible that a specially malformed
  repository can cause Git subrepositories to run arbitrary code in the form
  of a .git/hooks/post-update script checked into the repository. Typical use
  of Mercurial prevents construction of such repositories, but they can be
  created programmatically.
     - Trusty
     - Xenial
     - Artful
   * CVE-2018-1000132: Mercurial version 4.5 and earlier contains a Incorrect Access Control
  (CWE-285) vulnerability in Protocol server that can result in Unauthorized
  data access. This attack appear to be exploitable via network connectivity.
  This vulnerability appears to have been fixed in 4.5.1.
     - Trusty
     - Xenial
     - Artful

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mercurial/+bug/1759366/+subscriptions
Follow ups

[Bug 1759366] Re: Multiple Mercurial CVEs have been announced
From: Simon Quigley, 2018-07-19