MidnightBSD

Advisories for mercurial

CVE-2014-9390 HIGH

Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
git-scm git *
eclipse jgit *
libgit2 libgit2 *
apple xcode *
mercurial mercurial *
apple xcode 6.2
eclipse egit *
CVE-2014-9462 HIGH

The _validaterepo function in sshpeer in Mercurial before 3.2.4 allows remote attackers to execute arbitrary commands via a crafted repository name in a clone command.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
opensuse opensuse 13.1
opensuse opensuse 13.2
mercurial mercurial *
CVE-2016-3068 MEDIUM

Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted git ext:: URL when cloning a subrepository.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
opensuse leap 42.1
suse linux_enterprise_software_development_kit 11
suse linux_enterprise_software_development_kit 12
opensuse opensuse 13.2
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_aus 7.2
fedoraproject fedora 23
suse linux_enterprise_debuginfo 11
redhat enterprise_linux_server_eus 7.2
debian debian_linux 8.0
redhat enterprise_linux_desktop 7.0
fedoraproject fedora 22
mercurial mercurial *
debian debian_linux 7.0
redhat enterprise_linux_hpc_node_eus 7.2
redhat enterprise_linux_hpc_node 7.0
CVE-2016-3069 MEDIUM

Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted name when converting a Git repository.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
opensuse leap 42.1
suse linux_enterprise_software_development_kit 11
suse linux_enterprise_software_development_kit 12
opensuse opensuse 13.2
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_aus 7.2
fedoraproject fedora 23
suse linux_enterprise_debuginfo 11
redhat enterprise_linux_server_eus 7.2
debian debian_linux 8.0
redhat enterprise_linux_desktop 7.0
fedoraproject fedora 22
mercurial mercurial *
debian debian_linux 7.0
redhat enterprise_linux_hpc_node_eus 7.2
redhat enterprise_linux_hpc_node 7.0
CVE-2016-3105 MEDIUM

The convert extension in Mercurial before 3.8 might allow context-dependent attackers to execute arbitrary code via a crafted git repository name.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-284,

Products Affected

Vendor Product Version
debian debian_linux 8.0
mercurial mercurial *
CVE-2016-3630 MEDIUM

The binary delta decoder in Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a (1) clone, (2) push, or (3) pull command, related to (a) a list sizing rounding error and (b) short records.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-19,

Products Affected

Vendor Product Version
suse linux_enterprise_debuginfo 11
opensuse leap 42.1
suse linux_enterprise_software_development_kit 11
debian debian_linux 8.0
suse linux_enterprise_software_development_kit 12
fedoraproject fedora 22
opensuse opensuse 13.2
mercurial mercurial *
debian debian_linux 7.0
fedoraproject fedora 23
CVE-2017-1000115 MEDIUM

Mercurial prior to version 4.3 is vulnerable to a missing symlink check that can malicious repositories to modify files outside the repository

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-59,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_aus 7.6
redhat enterprise_linux_server_eus 7.4
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_server_tus 7.6
debian debian_linux 8.0
redhat enterprise_linux_desktop 7.0
mercurial mercurial *
redhat enterprise_linux_server_eus 7.5
redhat enterprise_linux_server_eus 7.6
redhat enterprise_linux_server_tus 7.4
debian debian_linux 9.0
CVE-2017-1000116 HIGH

Mercurial prior to 4.3 did not adequately sanitize hostnames passed to ssh, leading to possible shell-injection attacks.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_aus 7.6
redhat enterprise_linux_server_eus 7.4
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_server_tus 7.6
debian debian_linux 8.0
redhat enterprise_linux_desktop 7.0
mercurial mercurial *
redhat enterprise_linux_server_eus 7.5
redhat enterprise_linux_server_eus 7.6
redhat enterprise_linux_server_tus 7.4
debian debian_linux 9.0
CVE-2017-17458 HIGH

In Mercurial before 4.4.1, it is possible that a specially malformed repository can cause Git subrepositories to run arbitrary code in the form of a .git/hooks/post-update script checked into the repository. Typical use of Mercurial prevents construction of such repositories, but they can be created programmatically.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
debian debian_linux 8.0
mercurial mercurial *
debian debian_linux 7.0
CVE-2017-9462 HIGH

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger as a repository name.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-732,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_aus 7.6
redhat enterprise_linux_server 6.0
redhat enterprise_linux_server_eus 7.4
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_server_tus 7.6
debian debian_linux 8.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server_eus 7.3
mercurial mercurial *
redhat enterprise_linux_desktop 6.0
redhat enterprise_linux_server_eus 7.5
redhat enterprise_linux_server_aus 7.3
redhat enterprise_linux_server_eus 7.6
debian debian_linux 9.0
CVE-2018-1000132 MEDIUM

Mercurial version 4.5 and earlier contains a Incorrect Access Control (CWE-285) vulnerability in Protocol server that can result in Unauthorized data access. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in 4.5.1.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-732,

Products Affected

Vendor Product Version
debian debian_linux 8.0
mercurial mercurial *
debian debian_linux 7.0
CVE-2018-13346 MEDIUM

The mpatch_apply function in mpatch.c in Mercurial before 4.6.1 incorrectly proceeds in cases where the fragment start is past the end of the original data, aka OVE-20180430-0004.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
mercurial mercurial *
CVE-2018-13347 HIGH

mpatch.c in Mercurial before 4.6.1 mishandles integer addition and subtraction, aka OVE-20180430-0002.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,

Products Affected

Vendor Product Version
mercurial mercurial *
CVE-2018-13348 MEDIUM

The mpatch_decode function in mpatch.c in Mercurial before 4.6.1 mishandles certain situations where there should be at least 12 bytes remaining after the current position in the patch data, but actually are not, aka OVE-20180430-0001.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
mercurial mercurial *
CVE-2018-17983 MEDIUM

cext/manifest.c in Mercurial before 4.7.2 has an out-of-bounds read during parsing of a malformed manifest entry.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
mercurial mercurial *
CVE-2019-3902 MEDIUM

A flaw was found in Mercurial before 4.9. It was possible to use symlinks and subrepositories to defeat Mercurial's path-checking logic and write files outside a repository.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,CWE-59,

Products Affected

Vendor Product Version
redhat enterprise_linux 7.0
debian debian_linux 8.0
mercurial mercurial *