Bug 23763

Summary: mercurial new security issue CVE-2018-17983
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, herman.viaene, lewyssmith, mageia, marja11, shlomif, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK MGA6-32-OK
Source RPM: mercurial-4.6.2-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2018-10-26 19:21:07 CEST 
SUSE has issued an advisory on October 25:
http://lists.suse.com/pipermail/sle-security-updates/2018-October/004788.html

The issue is fixed upstream in 4.7.2.

Mageia 6 is also affected.
Comment 1 Marja Van Waes 2018-10-27 20:58:46 CEST 
Assigning to the registered maintainer.

CC'ing Shlomi, who pushed mercurial several times, because I don't remember having seen Philippe since August 25.

I hope you're fine, Philippe!

Assignee: bugsquad => makowski.mageia
CC: (none) => marja11, shlomif

Comment 2 David Walser 2018-10-29 02:28:42 CET 
openSUSE has issued an advisory for this on October 27:
https://lists.opensuse.org/opensuse-updates/2018-10/msg00212.html
Comment 3 Shlomi Fish 2018-10-29 14:14:25 CET 
Submitted mercurial 4.7.2 to mga6 core/updates_testing.

Version: Cauldron => 6

Comment 4 David Walser 2018-10-30 12:03:15 CET 
Advisory:
========================

Updated mercurial packages fix security vulnerability:

An out-of-bounds read during parsing of a malformed manifest entry
(CVE-2018-17983).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17983
https://lists.opensuse.org/opensuse-updates/2018-10/msg00212.html
========================

Updated packages in core/updates_testing:
========================
mercurial-4.7.2-1.mga6

from mercurial-4.7.2-1.mga6.src.rpm

Assignee: makowski.mageia => qa-bugs

Comment 5 PC LX 2018-11-03 12:53:34 CET 
Installed and tested without issues.

Tests included init, clone, pull, push, status, commit, update, log, etc.
Tested on a several repositories, remote and local.

System: Mageia 6, x86_64, Intel CPU.

$ uname -a
Linux marte 4.14.78-desktop-1.mga6 #1 SMP Sun Oct 21 20:31:12 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q mercurial
mercurial-4.7.2-1.mga6

Whiteboard: (none) => MGA6-64-OK
CC: (none) => mageia

Comment 6 Herman Viaene 2018-11-08 11:06:39 CET 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Made tests as per bug 22895 Comment 5 and Comment 7, all worked OK

CC: (none) => herman.viaene
Whiteboard: MGA6-64-OK => MGA6-64-OK MGA6-32-OK

Comment 7 Thomas Andrews 2018-11-08 18:25:03 CET 
Validating. Advisory in Comment 4.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 8 Lewis Smith 2018-11-11 21:09:24 CET 
Advisoried from comment4.

Keywords: (none) => advisory
CC: (none) => lewyssmith

Comment 9 Mageia Robot 2018-11-11 22:11:04 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0442.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED