openSUSE has issued an advisory today (April 11): https://lists.opensuse.org/opensuse-updates/2018-04/msg00021.html The issue was fixed upstream in 4.5.2: https://www.mercurial-scm.org/wiki/WhatsNew Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
Status comment: (none) => Fixed upstream in 4.5.2
Mercurial 4.6.1, released on June 6, fixes three new security issues. 4.6.2 is the newest bugfix release. SUSE has issued an advisory for this today (July 19): http://lists.suse.com/pipermail/sle-security-updates/2018-July/004284.html
Summary: mercurial new security issue CVE-2018-1000132 => mercurial new security issues CVE-2018-1000132 and CVE-2018-1334[6-8]Status comment: Fixed upstream in 4.5.2 => Fixed upstream in 4.6.1
openSUSE has issued an advisory for the new issues today (July 20): https://lists.opensuse.org/opensuse-updates/2018-07/msg00057.html
Cauldron, 5 and 6 updated to mercurial-4.6.2-1
CC: (none) => makowski.mageia
Advisory to come later. Package list below. mercurial-4.6.2-1.mga5 mercurial-4.6.2-1.mga6 from SRPMS: mercurial-4.6.2-1.mga5.src.rpm mercurial-4.6.2-1.mga6.src.rpm
Whiteboard: MGA6TOO => MGA5TOOVersion: Cauldron => 6Assignee: python => qa-bugs
Mageia 6, x86_64 CVE-2018-1334{6,7,8} Reading posts on the backtrail indicates that there are no known exploits yet and that the software is still being analysed. The package updated cleanly. Tutorial: https://www.mercurial-scm.org/wiki/QuickStart $ hg version Mercurial Distributed SCM (version 4.6.2) Created project directory $ mkdir qa/hg $ cd qa/hg $ hg init $ ls -a .hg ./ ../ 00changelog.i requires store/ Clone a public repository. This takes a few minutes. $ hg clone http://selenic.com/hg mercurial-repo real URL is https://www.mercurial-scm.org/repo/hg/ requesting all changes adding changesets adding manifests adding file changes added 39229 changesets with 73900 changes to 3096 files (+1 heads) new changesets 9117c6561b0b:66f046116105 updating to bookmark @ 1741 files updated, 0 files merged, 0 files removed, 0 files unresolved $ ls 00changelog.i mercurial-repo/ requires store/ $ cd mercurial-repo $ ls contrib/ COPYING hgdemandimport/ hgext3rd/ Makefile rust/ CONTRIBUTING doc/ hgeditor* hgweb.cgi* mercurial/ setup.py CONTRIBUTORS hg* hgext/ i18n/ README.rst tests/ $ du -hs 102M . mercurial-repo has its own .ignore file. Made a backup of that and overwrote the original with the .ignore file from the tutorial. Then: $ hg sum parent: 39228:66f046116105 tip cext: fix truncation warnings in revlog on Windows branch: default bookmarks: *@ commit: 1 modified update: (current) I guess that is OK. $ hg add Does not find any ignored files. $ hg parents changeset: 39228:66f046116105 bookmark: @ tag: tip user: Matt Harbison <matt_harbison@yahoo.com> date: Tue Aug 21 21:05:15 2018 -0400 summary: cext: fix truncation warnings in revlog on Windows $ hg help Mercurial Distributed SCM list of commands: add add the specified files on the next commit addremove add all new files, delete all missing files [...] Things start to get a bit complicated after that so leaving it there. Further help at https://www.mercurial-scm.org/wiki/BeginnersGuides Highly recommended for people who might want to use it as a development environment. The notion to hold on to is that mercurial lacks anything like a central repository - it is completely decentralized which gives user freedom to define the shape of their system. As far as I can see the updated system works for 64-bits.
CC: (none) => tarazed25Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK
Poked this a bit more. Created a valid repository on another machine on the LAN. Starting from ~/qa/hg on the user's machine: $ hg init $ hg clone ssh://lcl@vega/repo paddb Password: requesting all changes adding changesets adding manifests adding file changes added 1 changesets with 93 changes to 93 files new changesets 45acdf9785db updating to branch default 93 files updated, 0 files merged, 0 files removed, 0 files unresolved [lcl@difda hg]$ ls -a ./ ../ .hg/ paddb/ $ cd paddb $ ls paddb addresses gui.rb* paddb.current* selectfont addresses.bak gui.rb~* paddb.rb* setup.rb* addresses.rb imagefactory.rb* paddb.rb~* setup-safe.rb* [...] $ cd paddb $ purge rm: cannot remove '*%': No such file or directory rm: cannot remove '.*%': No such file or directory rm: cannot remove '%*': No such file or directory rm: cannot remove '.*%*': No such file or directory rm: remove regular file 'gui.rb~'? y rm: remove regular file 'newpatterns.rb~'? y rm: remove regular file 'paddb.rb~'? y rm: remove regular file 'paddbsetup.rb~'? y rm: remove regular file 'postscript.rb~'? y rm: cannot remove '.*~': No such file or directory $ hg commit nothing changed (5 missing files, see 'hg status') That is consistent. $ hg log changeset: 0:45acdf9785db tag: tip user: Len Lawrence <email address> date: Mon Aug 27 16:06:43 2018 +0100 summary: Initial version of paddb The verbose version (-v) gives you a full list of the files in the repository and --debug supplies a little more.
MGA5-32 on Dell Latitude D600 Xfce No installation issues overwriting a previous version. at CLI: $ hg config --edit could edit username <emailaddress> but hg clone https://bitbucket.org/jthlim/pvrtccompressor as per bug 22171 Comment 8 or $ hg clone http://selenic.com/hg as per Comment 5 above both give ssl certificate verify failed David Walser (on private e-mail) told me to OK MGA-5 updates on clean install, so I don't intend to investigate this ssl issue.
CC: (none) => herman.viaeneWhiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA5-32-OK
MGA5-64 KDE4 on real hardware, Athlon X2 7750, 8GB RAM, nvidia340 graphics, Atheros wifi. I did not have this package installed, so this was not an update, but an install. Package installed cleanly. I did not go farther than that, but because of what David Walser told Herman Viane, I am giving this a MGA5 OK.
CC: (none) => andrewsfarmWhiteboard: MGA5TOO MGA6-64-OK MGA5-32-OK => MGA5TOO MGA6-64-OK MGA5-32-OK MGA5-64-OK
Validating, on the basis of one MGA6 OK and two MGA5 OKs.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
advisory, added to svn: type: security subject: Updated mercurial packages fix security vulnerabilities CVE: - CVE-2018-13346 - CVE-2018-13347 - CVE-2018-13348 - CVE-2018-1000132 src: 5: core: - mercurial-4.6.2-1.mga5 6: core: - mercurial-4.6.2-1.mga5 description: | This update provides mercurial version 4.6.2 and fixes the following security issues: Fix the mpatch_apply function in mpatch.c that incorrectly proceeds in cases where the fragment start is past the end of the original data (CVE-2018-13346). Fix mpatch.c that mishandles integer addition and subtraction (CVE-2018-13347). Fix the mpatch_decode function in mpatch.c that mishandles certain situations where there should be at least 12 bytes remaining after the current position in the patch data (CVE-2018-13348). Remote attackers may bypass HTTP server permissions via batch wire protocol commands(CVE-2018-1000132). references: - https://bugs.mageia.org/show_bug.cgi?id=22895 - https://lists.opensuse.org/opensuse-updates/2018-04/msg00021.html - https://lists.opensuse.org/opensuse-updates/2018-07/msg00057.html
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0355.html
Status: NEW => RESOLVEDResolution: (none) => FIXED