Bug 18124

(In reply to David Walser from comment #0)
> I don't have any more info about these issues or if they affect 3.1.1.

I'll check with Debian, but for now, Debian did nothing for 3.1.2
https://security-tracker.debian.org/tracker/source-package/mercurial

(In reply to Philippe Makowski from comment #1)
> (In reply to David Walser from comment #0)
> > I don't have any more info about these issues or if they affect 3.1.1.
> 
> I'll check with Debian, but for now, Debian did nothing for 3.1.2
> https://security-tracker.debian.org/tracker/source-package/mercurial

seems that OpenSuse have the patches :
https://build.opensuse.org/request/show/384129

(In reply to Philippe Makowski from comment #1)
> (In reply to David Walser from comment #0)
> > I don't have any more info about these issues or if they affect 3.1.1.
> 
> I'll check with Debian, but for now, Debian did nothing for 3.1.2
> https://security-tracker.debian.org/tracker/source-package/mercurial

Debian has now patched 3.1.2:
https://www.debian.org/security/2016/dsa-3542
https://lists.debian.org/debian-security-announce/2016/msg00116.html

packages.debian.org and sources.debian.net haven't been updated yet though :-/

Several vulnerabilities have been discovered in Mercurial, a distributed
version control system. The Common Vulnerabilities and Exposures project
identifies the following issues:

CVE-2016-3068

    Blake Burkhart discovered that Mercurial allows URLs for Git
    subrepositories that could result in arbitrary code execution on
    clone.

CVE-2016-3069

    Blake Burkhart discovered that Mercurial allows arbitrary code
    execution when converting Git repositories with specially
    crafted names.

CVE-2016-3630

    It was discovered that Mercurial does not properly perform bounds-
    checking in its binary delta decoder, which may be exploitable for
    remote code execution via clone, push or pull.


Updated packages :
mercurial-3.1.1-5.1.mga5.i586
mercurial-3.1.1-5.1.mga5.x86_64

from :
mercurial-3.1.1-5.1.mga5.src

Refs :
https://bugs.mageia.org/show_bug.cgi?id=18124
https://www.debian.org/security/2016/dsa-3542
https://lists.debian.org/debian-security-announce/2016/msg00116.html
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.527508
http://lwn.net/Vulnerabilities/682389/

Assignee: makowski.mageia => security

Thanks Philippe!

Advisory:
========================

Updated mercurial packages fix security vulnerabilities:

Blake Burkhart discovered that Mercurial allows URLs for Git subrepositories
that could result in arbitrary code execution on clone (CVE-2016-3068).

Blake Burkhart discovered that Mercurial allows arbitrary code execution when
converting Git repositories with specially crafted names (CVE-2016-3069).

It was discovered that Mercurial does not properly perform bounds-checking in
its binary delta decoder, which may be exploitable for remote code execution
via clone, push or pull (CVE-2016-3630).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3068
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3069
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3630
https://www.debian.org/security/2016/dsa-3542

CC: (none) => makowski.mageia
Version: Cauldron => 5
Assignee: security => qa-bugs

MGA5-32 on Acer D620 Xfce
No installation issues.
Tested as per bug 15590 Comment 4 , all works well.

CC: (none) => herman.viaene
Whiteboard: (none) => has_procedure MGA5-32-OK

Well done Herman.

Validating. Advisory uploaded.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK => has_procedure advisory MGA5-32-OK
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0138.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED