Security update for mercurial SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:2023-1 Final 1 1 2018-07-19T19:38:32Z current 2018-07-19T19:38:32Z 2018-07-19T19:38:32Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for mercurial This update for mercurial fixes the following issues: Security issues fixed: - CVE-2018-13348: Fix the mpatch_decode function in mpatch.c that mishandles certain situations where there should be at least 12 bytes remaining after thecurrent position in the patch data (boo#1100353). - CVE-2018-13347: Fix mpatch.c that mishandles integer addition and subtraction (boo#1100355). - CVE-2018-13346: Fix the mpatch_apply function in mpatch.c that incorrectly proceeds in cases where the fragment start is past the end of the original data (boo#1100354). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2018-07/msg00030.html E-Mail link for openSUSE-SU-2018:2023-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.3 mercurial-4.2.3-15.1 mercurial-lang-4.2.3-15.1 mercurial-4.2.3-15.1 as a component of openSUSE Leap 42.3 mercurial-lang-4.2.3-15.1 as a component of openSUSE Leap 42.3 The mpatch_apply function in mpatch.c in Mercurial before 4.6.1 incorrectly proceeds in cases where the fragment start is past the end of the original data, aka OVE-20180430-0004. CVE-2018-13346 openSUSE Leap 42.3:mercurial-4.2.3-15.1 openSUSE Leap 42.3:mercurial-lang-4.2.3-15.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-07/msg00030.html https://www.suse.com/security/cve/CVE-2018-13346.html CVE-2018-13346 https://bugzilla.suse.com/1100354 SUSE Bug 1100354 mpatch.c in Mercurial before 4.6.1 mishandles integer addition and subtraction, aka OVE-20180430-0002. CVE-2018-13347 openSUSE Leap 42.3:mercurial-4.2.3-15.1 openSUSE Leap 42.3:mercurial-lang-4.2.3-15.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-07/msg00030.html https://www.suse.com/security/cve/CVE-2018-13347.html CVE-2018-13347 https://bugzilla.suse.com/1100355 SUSE Bug 1100355 The mpatch_decode function in mpatch.c in Mercurial before 4.6.1 mishandles certain situations where there should be at least 12 bytes remaining after the current position in the patch data, but actually are not, aka OVE-20180430-0001. CVE-2018-13348 openSUSE Leap 42.3:mercurial-4.2.3-15.1 openSUSE Leap 42.3:mercurial-lang-4.2.3-15.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-07/msg00030.html https://www.suse.com/security/cve/CVE-2018-13348.html CVE-2018-13348 https://bugzilla.suse.com/1100353 SUSE Bug 1100353