Bug 23763 - mercurial new security issue CVE-2018-17983
Summary: mercurial new security issue CVE-2018-17983
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-10-26 19:21 CEST by David Walser
Modified: 2018-11-11 22:11 CET (History)
7 users (show)

See Also:
Source RPM: mercurial-4.6.2-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-10-26 19:21:07 CEST
SUSE has issued an advisory on October 25:
http://lists.suse.com/pipermail/sle-security-updates/2018-October/004788.html

The issue is fixed upstream in 4.7.2.

Mageia 6 is also affected.
Comment 1 Marja Van Waes 2018-10-27 20:58:46 CEST
Assigning to the registered maintainer.

CC'ing Shlomi, who pushed mercurial several times, because I don't remember having seen Philippe since August 25.

I hope you're fine, Philippe!

Assignee: bugsquad => makowski.mageia
CC: (none) => marja11, shlomif

Comment 2 David Walser 2018-10-29 02:28:42 CET
openSUSE has issued an advisory for this on October 27:
https://lists.opensuse.org/opensuse-updates/2018-10/msg00212.html
Comment 3 Shlomi Fish 2018-10-29 14:14:25 CET
Submitted mercurial 4.7.2 to mga6 core/updates_testing.

Version: Cauldron => 6

Comment 4 David Walser 2018-10-30 12:03:15 CET
Advisory:
========================

Updated mercurial packages fix security vulnerability:

An out-of-bounds read during parsing of a malformed manifest entry
(CVE-2018-17983).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17983
https://lists.opensuse.org/opensuse-updates/2018-10/msg00212.html
========================

Updated packages in core/updates_testing:
========================
mercurial-4.7.2-1.mga6

from mercurial-4.7.2-1.mga6.src.rpm

Assignee: makowski.mageia => qa-bugs

Comment 5 PC LX 2018-11-03 12:53:34 CET
Installed and tested without issues.

Tests included init, clone, pull, push, status, commit, update, log, etc.
Tested on a several repositories, remote and local.

System: Mageia 6, x86_64, Intel CPU.

$ uname -a
Linux marte 4.14.78-desktop-1.mga6 #1 SMP Sun Oct 21 20:31:12 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q mercurial
mercurial-4.7.2-1.mga6

CC: (none) => mageia
Whiteboard: (none) => MGA6-64-OK

Comment 6 Herman Viaene 2018-11-08 11:06:39 CET
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Made tests as per bug 22895 Comment 5 and Comment 7, all worked OK

CC: (none) => herman.viaene
Whiteboard: MGA6-64-OK => MGA6-64-OK MGA6-32-OK

Comment 7 Thomas Andrews 2018-11-08 18:25:03 CET
Validating. Advisory in Comment 4.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 8 Lewis Smith 2018-11-11 21:09:24 CET
Advisoried from comment4.

Keywords: (none) => advisory
CC: (none) => lewyssmith

Comment 9 Mageia Robot 2018-11-11 22:11:04 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0442.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.