csaf_suse - suse-su-2018:1998-1

SUSE-SU-2018:1998-1

Vulnerability from csaf_suse - Published: 2018-07-19 07:57 - Updated: 2018-07-19 07:57

Summary

Security update for mercurial

Notes

Title of the patch

Security update for mercurial

Description of the patch

This update for mercurial fixes the following issues: Security issues fixed: - CVE-2018-13346: Fix mpatch_apply function in mpatch.c that incorrectly proceeds in cases where the fragment start is past the end of the original data (bsc#1100354). - CVE-2018-13347: Fix mpatch.c that mishandles integer addition and subtraction (bsc#1100355). - CVE-2018-13348: Fix the mpatch_decode function in mpatch.c that mishandles certain situations where there should be at least 12 bytes remaining after thecurrent position in the patch data (bsc#1100353).

Patchnames

SUSE-SLE-Module-Development-Tools-15-2018-1355

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for mercurial",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for mercurial fixes the following issues:\n\nSecurity issues fixed:\n\n- CVE-2018-13346: Fix mpatch_apply function in mpatch.c that incorrectly proceeds in cases where the fragment start is past the end of the original data (bsc#1100354).\n- CVE-2018-13347: Fix mpatch.c that mishandles integer addition and subtraction (bsc#1100355).\n- CVE-2018-13348: Fix the mpatch_decode function in mpatch.c that mishandles certain situations where there should be at least 12 bytes remaining after thecurrent position in the patch data (bsc#1100353).\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-SLE-Module-Development-Tools-15-2018-1355",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2018_1998-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2018:1998-1",
        "url": "https://www.suse.com/support/update/announcement/2018/suse-su-20181998-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2018:1998-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2018-July/004292.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1100353",
        "url": "https://bugzilla.suse.com/1100353"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1100354",
        "url": "https://bugzilla.suse.com/1100354"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1100355",
        "url": "https://bugzilla.suse.com/1100355"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2018-13346 page",
        "url": "https://www.suse.com/security/cve/CVE-2018-13346/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2018-13347 page",
        "url": "https://www.suse.com/security/cve/CVE-2018-13347/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2018-13348 page",
        "url": "https://www.suse.com/security/cve/CVE-2018-13348/"
      }
    ],
    "title": "Security update for mercurial",
    "tracking": {
      "current_release_date": "2018-07-19T07:57:38Z",
      "generator": {
        "date": "2018-07-19T07:57:38Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2018:1998-1",
      "initial_release_date": "2018-07-19T07:57:38Z",
      "revision_history": [
        {
          "date": "2018-07-19T07:57:38Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "mercurial-4.5.2-3.3.1.aarch64",
                "product": {
                  "name": "mercurial-4.5.2-3.3.1.aarch64",
                  "product_id": "mercurial-4.5.2-3.3.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "mercurial-4.5.2-3.3.1.ppc64le",
                "product": {
                  "name": "mercurial-4.5.2-3.3.1.ppc64le",
                  "product_id": "mercurial-4.5.2-3.3.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "mercurial-4.5.2-3.3.1.s390x",
                "product": {
                  "name": "mercurial-4.5.2-3.3.1.s390x",
                  "product_id": "mercurial-4.5.2-3.3.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "mercurial-4.5.2-3.3.1.x86_64",
                "product": {
                  "name": "mercurial-4.5.2-3.3.1.x86_64",
                  "product_id": "mercurial-4.5.2-3.3.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Module for Development Tools 15",
                "product": {
                  "name": "SUSE Linux Enterprise Module for Development Tools 15",
                  "product_id": "SUSE Linux Enterprise Module for Development Tools 15",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-module-development-tools:15"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mercurial-4.5.2-3.3.1.aarch64 as component of SUSE Linux Enterprise Module for Development Tools 15",
          "product_id": "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.aarch64"
        },
        "product_reference": "mercurial-4.5.2-3.3.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mercurial-4.5.2-3.3.1.ppc64le as component of SUSE Linux Enterprise Module for Development Tools 15",
          "product_id": "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.ppc64le"
        },
        "product_reference": "mercurial-4.5.2-3.3.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mercurial-4.5.2-3.3.1.s390x as component of SUSE Linux Enterprise Module for Development Tools 15",
          "product_id": "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.s390x"
        },
        "product_reference": "mercurial-4.5.2-3.3.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mercurial-4.5.2-3.3.1.x86_64 as component of SUSE Linux Enterprise Module for Development Tools 15",
          "product_id": "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.x86_64"
        },
        "product_reference": "mercurial-4.5.2-3.3.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2018-13346",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2018-13346"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "The mpatch_apply function in mpatch.c in Mercurial before 4.6.1 incorrectly proceeds in cases where the fragment start is past the end of the original data, aka OVE-20180430-0004.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.aarch64",
          "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.ppc64le",
          "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.s390x",
          "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2018-13346",
          "url": "https://www.suse.com/security/cve/CVE-2018-13346"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1100354 for CVE-2018-13346",
          "url": "https://bugzilla.suse.com/1100354"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.aarch64",
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.ppc64le",
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.s390x",
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.0"
          },
          "products": [
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.aarch64",
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.ppc64le",
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.s390x",
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2018-07-19T07:57:38Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2018-13346"
    },
    {
      "cve": "CVE-2018-13347",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2018-13347"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "mpatch.c in Mercurial before 4.6.1 mishandles integer addition and subtraction, aka OVE-20180430-0002.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.aarch64",
          "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.ppc64le",
          "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.s390x",
          "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2018-13347",
          "url": "https://www.suse.com/security/cve/CVE-2018-13347"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1100355 for CVE-2018-13347",
          "url": "https://bugzilla.suse.com/1100355"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.aarch64",
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.ppc64le",
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.s390x",
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.0"
          },
          "products": [
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.aarch64",
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.ppc64le",
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.s390x",
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2018-07-19T07:57:38Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2018-13347"
    },
    {
      "cve": "CVE-2018-13348",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2018-13348"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "The mpatch_decode function in mpatch.c in Mercurial before 4.6.1 mishandles certain situations where there should be at least 12 bytes remaining after the current position in the patch data, but actually are not, aka OVE-20180430-0001.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.aarch64",
          "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.ppc64le",
          "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.s390x",
          "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2018-13348",
          "url": "https://www.suse.com/security/cve/CVE-2018-13348"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1100353 for CVE-2018-13348",
          "url": "https://bugzilla.suse.com/1100353"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.aarch64",
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.ppc64le",
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.s390x",
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.0"
          },
          "products": [
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.aarch64",
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.ppc64le",
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.s390x",
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2018-07-19T07:57:38Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2018-13348"
    }
  ]
}

CVE-2018-13346 (GCVE-0-2018-13346)

Vulnerability from cvelistv5 – Published: 2018-07-06 00:00 – Updated: 2024-08-05 09:00

Summary

The mpatch_apply function in mpatch.c in Mercurial before 4.6.1 incorrectly proceeds in cases where the fragment start is past the end of the original data, aka OVE-20180430-0004.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://www.mercurial-scm.org/wiki/WhatsNew#Mercu…	x_refsource_MISC
	https://www.mercurial-scm.org/repo/hg/rev/faa924469635	x_refsource_MISC
	https://access.redhat.com/errata/RHSA-2019:2276	vendor-advisoryx_refsource_REDHAT
	https://lists.debian.org/debian-lts-announce/2020…	mailing-listx_refsource_MLIST

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T09:00:35.026Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.mercurial-scm.org/repo/hg/rev/faa924469635"
          },
          {
            "name": "RHSA-2019:2276",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2276"
          },
          {
            "name": "[debian-lts-announce] 20200731 [SECURITY] [DLA 2293-1] mercurial security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2018-07-05T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The mpatch_apply function in mpatch.c in Mercurial before 4.6.1 incorrectly proceeds in cases where the fragment start is past the end of the original data, aka OVE-20180430-0004."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-07-31T12:06:07",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.mercurial-scm.org/repo/hg/rev/faa924469635"
        },
        {
          "name": "RHSA-2019:2276",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2276"
        },
        {
          "name": "[debian-lts-announce] 20200731 [SECURITY] [DLA 2293-1] mercurial security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2018-13346",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The mpatch_apply function in mpatch.c in Mercurial before 4.6.1 incorrectly proceeds in cases where the fragment start is past the end of the original data, aka OVE-20180430-0004."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29",
              "refsource": "MISC",
              "url": "https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29"
            },
            {
              "name": "https://www.mercurial-scm.org/repo/hg/rev/faa924469635",
              "refsource": "MISC",
              "url": "https://www.mercurial-scm.org/repo/hg/rev/faa924469635"
            },
            {
              "name": "RHSA-2019:2276",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2276"
            },
            {
              "name": "[debian-lts-announce] 20200731 [SECURITY] [DLA 2293-1] mercurial security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2018-13346",
    "datePublished": "2018-07-06T00:00:00",
    "dateReserved": "2018-07-05T00:00:00",
    "dateUpdated": "2024-08-05T09:00:35.026Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2018-13348 (GCVE-0-2018-13348)

Vulnerability from cvelistv5 – Published: 2018-07-06 00:00 – Updated: 2024-08-05 09:00

Summary

The mpatch_decode function in mpatch.c in Mercurial before 4.6.1 mishandles certain situations where there should be at least 12 bytes remaining after the current position in the patch data, but actually are not, aka OVE-20180430-0001.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://www.mercurial-scm.org/repo/hg/rev/90a274965de7	x_refsource_MISC
	https://www.mercurial-scm.org/wiki/WhatsNew#Mercu…	x_refsource_MISC
	https://lists.debian.org/debian-lts-announce/2020…	mailing-listx_refsource_MLIST

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T09:00:35.140Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.mercurial-scm.org/repo/hg/rev/90a274965de7"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29"
          },
          {
            "name": "[debian-lts-announce] 20200731 [SECURITY] [DLA 2293-1] mercurial security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2018-07-05T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The mpatch_decode function in mpatch.c in Mercurial before 4.6.1 mishandles certain situations where there should be at least 12 bytes remaining after the current position in the patch data, but actually are not, aka OVE-20180430-0001."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-07-31T12:06:06",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.mercurial-scm.org/repo/hg/rev/90a274965de7"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29"
        },
        {
          "name": "[debian-lts-announce] 20200731 [SECURITY] [DLA 2293-1] mercurial security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2018-13348",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The mpatch_decode function in mpatch.c in Mercurial before 4.6.1 mishandles certain situations where there should be at least 12 bytes remaining after the current position in the patch data, but actually are not, aka OVE-20180430-0001."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.mercurial-scm.org/repo/hg/rev/90a274965de7",
              "refsource": "MISC",
              "url": "https://www.mercurial-scm.org/repo/hg/rev/90a274965de7"
            },
            {
              "name": "https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29",
              "refsource": "MISC",
              "url": "https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29"
            },
            {
              "name": "[debian-lts-announce] 20200731 [SECURITY] [DLA 2293-1] mercurial security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2018-13348",
    "datePublished": "2018-07-06T00:00:00",
    "dateReserved": "2018-07-05T00:00:00",
    "dateUpdated": "2024-08-05T09:00:35.140Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2018-13347 (GCVE-0-2018-13347)

Vulnerability from cvelistv5 – Published: 2018-07-06 00:00 – Updated: 2024-08-05 09:00

Summary

mpatch.c in Mercurial before 4.6.1 mishandles integer addition and subtraction, aka OVE-20180430-0002.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://www.mercurial-scm.org/repo/hg-committed/l…	x_refsource_MISC
	https://www.mercurial-scm.org/wiki/WhatsNew#Mercu…	x_refsource_MISC
	https://www.mercurial-scm.org/repo/hg/rev/1acfc35d478c	x_refsource_MISC
	https://access.redhat.com/errata/RHSA-2019:2276	vendor-advisoryx_refsource_REDHAT
	https://lists.debian.org/debian-lts-announce/2020…	mailing-listx_refsource_MLIST

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T09:00:34.953Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.mercurial-scm.org/repo/hg-committed/log?rev=modifies%28%22mercurial%2Fmpatch.c%22%29+and+4.5%3A%3A"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.mercurial-scm.org/repo/hg/rev/1acfc35d478c"
          },
          {
            "name": "RHSA-2019:2276",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2276"
          },
          {
            "name": "[debian-lts-announce] 20200731 [SECURITY] [DLA 2293-1] mercurial security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2018-07-05T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "mpatch.c in Mercurial before 4.6.1 mishandles integer addition and subtraction, aka OVE-20180430-0002."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-07-31T12:06:08",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.mercurial-scm.org/repo/hg-committed/log?rev=modifies%28%22mercurial%2Fmpatch.c%22%29+and+4.5%3A%3A"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.mercurial-scm.org/repo/hg/rev/1acfc35d478c"
        },
        {
          "name": "RHSA-2019:2276",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2276"
        },
        {
          "name": "[debian-lts-announce] 20200731 [SECURITY] [DLA 2293-1] mercurial security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2018-13347",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "mpatch.c in Mercurial before 4.6.1 mishandles integer addition and subtraction, aka OVE-20180430-0002."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.mercurial-scm.org/repo/hg-committed/log?rev=modifies%28%22mercurial%2Fmpatch.c%22%29+and+4.5%3A%3A",
              "refsource": "MISC",
              "url": "https://www.mercurial-scm.org/repo/hg-committed/log?rev=modifies%28%22mercurial%2Fmpatch.c%22%29+and+4.5%3A%3A"
            },
            {
              "name": "https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29",
              "refsource": "MISC",
              "url": "https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29"
            },
            {
              "name": "https://www.mercurial-scm.org/repo/hg/rev/1acfc35d478c",
              "refsource": "MISC",
              "url": "https://www.mercurial-scm.org/repo/hg/rev/1acfc35d478c"
            },
            {
              "name": "RHSA-2019:2276",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2276"
            },
            {
              "name": "[debian-lts-announce] 20200731 [SECURITY] [DLA 2293-1] mercurial security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2018-13347",
    "datePublished": "2018-07-06T00:00:00",
    "dateReserved": "2018-07-05T00:00:00",
    "dateUpdated": "2024-08-05T09:00:34.953Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

SUSE-SU-2018:1998-1

CVE-2018-13346 (GCVE-0-2018-13346)

CVE-2018-13348 (GCVE-0-2018-13348)

CVE-2018-13347 (GCVE-0-2018-13347)

Tags

Sightings

Nomenclature