csaf_suse - suse-su-2018:1998-1

suse-su-2018:1998-1

Vulnerability from csaf_suse

Published

2018-07-19 07:57

Modified

2018-07-19 07:57

Summary

Security update for mercurial

Notes

Title of the patch

Security update for mercurial

Description of the patch

This update for mercurial fixes the following issues: Security issues fixed: - CVE-2018-13346: Fix mpatch_apply function in mpatch.c that incorrectly proceeds in cases where the fragment start is past the end of the original data (bsc#1100354). - CVE-2018-13347: Fix mpatch.c that mishandles integer addition and subtraction (bsc#1100355). - CVE-2018-13348: Fix the mpatch_decode function in mpatch.c that mishandles certain situations where there should be at least 12 bytes remaining after thecurrent position in the patch data (bsc#1100353).

Patchnames

SUSE-SLE-Module-Development-Tools-15-2018-1355

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for mercurial",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for mercurial fixes the following issues:\n\nSecurity issues fixed:\n\n- CVE-2018-13346: Fix mpatch_apply function in mpatch.c that incorrectly proceeds in cases where the fragment start is past the end of the original data (bsc#1100354).\n- CVE-2018-13347: Fix mpatch.c that mishandles integer addition and subtraction (bsc#1100355).\n- CVE-2018-13348: Fix the mpatch_decode function in mpatch.c that mishandles certain situations where there should be at least 12 bytes remaining after thecurrent position in the patch data (bsc#1100353).\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-SLE-Module-Development-Tools-15-2018-1355",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2018_1998-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2018:1998-1",
        "url": "https://www.suse.com/support/update/announcement/2018/suse-su-20181998-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2018:1998-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2018-July/004292.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1100353",
        "url": "https://bugzilla.suse.com/1100353"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1100354",
        "url": "https://bugzilla.suse.com/1100354"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1100355",
        "url": "https://bugzilla.suse.com/1100355"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2018-13346 page",
        "url": "https://www.suse.com/security/cve/CVE-2018-13346/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2018-13347 page",
        "url": "https://www.suse.com/security/cve/CVE-2018-13347/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2018-13348 page",
        "url": "https://www.suse.com/security/cve/CVE-2018-13348/"
      }
    ],
    "title": "Security update for mercurial",
    "tracking": {
      "current_release_date": "2018-07-19T07:57:38Z",
      "generator": {
        "date": "2018-07-19T07:57:38Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2018:1998-1",
      "initial_release_date": "2018-07-19T07:57:38Z",
      "revision_history": [
        {
          "date": "2018-07-19T07:57:38Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "mercurial-4.5.2-3.3.1.aarch64",
                "product": {
                  "name": "mercurial-4.5.2-3.3.1.aarch64",
                  "product_id": "mercurial-4.5.2-3.3.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "mercurial-4.5.2-3.3.1.ppc64le",
                "product": {
                  "name": "mercurial-4.5.2-3.3.1.ppc64le",
                  "product_id": "mercurial-4.5.2-3.3.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "mercurial-4.5.2-3.3.1.s390x",
                "product": {
                  "name": "mercurial-4.5.2-3.3.1.s390x",
                  "product_id": "mercurial-4.5.2-3.3.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "mercurial-4.5.2-3.3.1.x86_64",
                "product": {
                  "name": "mercurial-4.5.2-3.3.1.x86_64",
                  "product_id": "mercurial-4.5.2-3.3.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Module for Development Tools 15",
                "product": {
                  "name": "SUSE Linux Enterprise Module for Development Tools 15",
                  "product_id": "SUSE Linux Enterprise Module for Development Tools 15",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-module-development-tools:15"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mercurial-4.5.2-3.3.1.aarch64 as component of SUSE Linux Enterprise Module for Development Tools 15",
          "product_id": "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.aarch64"
        },
        "product_reference": "mercurial-4.5.2-3.3.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mercurial-4.5.2-3.3.1.ppc64le as component of SUSE Linux Enterprise Module for Development Tools 15",
          "product_id": "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.ppc64le"
        },
        "product_reference": "mercurial-4.5.2-3.3.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mercurial-4.5.2-3.3.1.s390x as component of SUSE Linux Enterprise Module for Development Tools 15",
          "product_id": "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.s390x"
        },
        "product_reference": "mercurial-4.5.2-3.3.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mercurial-4.5.2-3.3.1.x86_64 as component of SUSE Linux Enterprise Module for Development Tools 15",
          "product_id": "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.x86_64"
        },
        "product_reference": "mercurial-4.5.2-3.3.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2018-13346",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2018-13346"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "The mpatch_apply function in mpatch.c in Mercurial before 4.6.1 incorrectly proceeds in cases where the fragment start is past the end of the original data, aka OVE-20180430-0004.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.aarch64",
          "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.ppc64le",
          "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.s390x",
          "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2018-13346",
          "url": "https://www.suse.com/security/cve/CVE-2018-13346"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1100354 for CVE-2018-13346",
          "url": "https://bugzilla.suse.com/1100354"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.aarch64",
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.ppc64le",
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.s390x",
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.0"
          },
          "products": [
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.aarch64",
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.ppc64le",
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.s390x",
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2018-07-19T07:57:38Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2018-13346"
    },
    {
      "cve": "CVE-2018-13347",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2018-13347"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "mpatch.c in Mercurial before 4.6.1 mishandles integer addition and subtraction, aka OVE-20180430-0002.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.aarch64",
          "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.ppc64le",
          "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.s390x",
          "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2018-13347",
          "url": "https://www.suse.com/security/cve/CVE-2018-13347"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1100355 for CVE-2018-13347",
          "url": "https://bugzilla.suse.com/1100355"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.aarch64",
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.ppc64le",
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.s390x",
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.0"
          },
          "products": [
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.aarch64",
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.ppc64le",
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.s390x",
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2018-07-19T07:57:38Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2018-13347"
    },
    {
      "cve": "CVE-2018-13348",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2018-13348"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "The mpatch_decode function in mpatch.c in Mercurial before 4.6.1 mishandles certain situations where there should be at least 12 bytes remaining after the current position in the patch data, but actually are not, aka OVE-20180430-0001.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.aarch64",
          "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.ppc64le",
          "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.s390x",
          "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2018-13348",
          "url": "https://www.suse.com/security/cve/CVE-2018-13348"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1100353 for CVE-2018-13348",
          "url": "https://bugzilla.suse.com/1100353"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.aarch64",
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.ppc64le",
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.s390x",
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.0"
          },
          "products": [
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.aarch64",
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.ppc64le",
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.s390x",
            "SUSE Linux Enterprise Module for Development Tools 15:mercurial-4.5.2-3.3.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2018-07-19T07:57:38Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2018-13348"
    }
  ]
}

CVE-2018-13347 (GCVE-0-2018-13347)

Vulnerability from cvelistv5

Published

2018-07-06 00:00

Modified

2024-08-05 09:00

Severity ?

CWE

Summary

mpatch.c in Mercurial before 4.6.1 mishandles integer addition and subtraction, aka OVE-20180430-0002.

References

►

URL

Tags

	https://www.mercurial-scm.org/repo/hg-committed/log?rev=modifies%28%22mercurial%2Fmpatch.c%22%29+and+4.5%3A%3A	x_refsource_MISC
	https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29	x_refsource_MISC
	https://www.mercurial-scm.org/repo/hg/rev/1acfc35d478c	x_refsource_MISC
	https://access.redhat.com/errata/RHSA-2019:2276	vendor-advisory, x_refsource_REDHAT
	https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html	mailing-list, x_refsource_MLIST

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T09:00:34.953Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.mercurial-scm.org/repo/hg-committed/log?rev=modifies%28%22mercurial%2Fmpatch.c%22%29+and+4.5%3A%3A"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.mercurial-scm.org/repo/hg/rev/1acfc35d478c"
          },
          {
            "name": "RHSA-2019:2276",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2276"
          },
          {
            "name": "[debian-lts-announce] 20200731 [SECURITY] [DLA 2293-1] mercurial security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2018-07-05T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "mpatch.c in Mercurial before 4.6.1 mishandles integer addition and subtraction, aka OVE-20180430-0002."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-07-31T12:06:08",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.mercurial-scm.org/repo/hg-committed/log?rev=modifies%28%22mercurial%2Fmpatch.c%22%29+and+4.5%3A%3A"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.mercurial-scm.org/repo/hg/rev/1acfc35d478c"
        },
        {
          "name": "RHSA-2019:2276",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2276"
        },
        {
          "name": "[debian-lts-announce] 20200731 [SECURITY] [DLA 2293-1] mercurial security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2018-13347",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "mpatch.c in Mercurial before 4.6.1 mishandles integer addition and subtraction, aka OVE-20180430-0002."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.mercurial-scm.org/repo/hg-committed/log?rev=modifies%28%22mercurial%2Fmpatch.c%22%29+and+4.5%3A%3A",
              "refsource": "MISC",
              "url": "https://www.mercurial-scm.org/repo/hg-committed/log?rev=modifies%28%22mercurial%2Fmpatch.c%22%29+and+4.5%3A%3A"
            },
            {
              "name": "https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29",
              "refsource": "MISC",
              "url": "https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29"
            },
            {
              "name": "https://www.mercurial-scm.org/repo/hg/rev/1acfc35d478c",
              "refsource": "MISC",
              "url": "https://www.mercurial-scm.org/repo/hg/rev/1acfc35d478c"
            },
            {
              "name": "RHSA-2019:2276",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2276"
            },
            {
              "name": "[debian-lts-announce] 20200731 [SECURITY] [DLA 2293-1] mercurial security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2018-13347",
    "datePublished": "2018-07-06T00:00:00",
    "dateReserved": "2018-07-05T00:00:00",
    "dateUpdated": "2024-08-05T09:00:34.953Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2018-13348 (GCVE-0-2018-13348)

Vulnerability from cvelistv5

Published

2018-07-06 00:00

Modified

2024-08-05 09:00

Severity ?

CWE

Summary

The mpatch_decode function in mpatch.c in Mercurial before 4.6.1 mishandles certain situations where there should be at least 12 bytes remaining after the current position in the patch data, but actually are not, aka OVE-20180430-0001.

References

►

URL

Tags

	https://www.mercurial-scm.org/repo/hg/rev/90a274965de7	x_refsource_MISC
	https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29	x_refsource_MISC
	https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html	mailing-list, x_refsource_MLIST

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T09:00:35.140Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.mercurial-scm.org/repo/hg/rev/90a274965de7"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29"
          },
          {
            "name": "[debian-lts-announce] 20200731 [SECURITY] [DLA 2293-1] mercurial security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2018-07-05T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The mpatch_decode function in mpatch.c in Mercurial before 4.6.1 mishandles certain situations where there should be at least 12 bytes remaining after the current position in the patch data, but actually are not, aka OVE-20180430-0001."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-07-31T12:06:06",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.mercurial-scm.org/repo/hg/rev/90a274965de7"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29"
        },
        {
          "name": "[debian-lts-announce] 20200731 [SECURITY] [DLA 2293-1] mercurial security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2018-13348",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The mpatch_decode function in mpatch.c in Mercurial before 4.6.1 mishandles certain situations where there should be at least 12 bytes remaining after the current position in the patch data, but actually are not, aka OVE-20180430-0001."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.mercurial-scm.org/repo/hg/rev/90a274965de7",
              "refsource": "MISC",
              "url": "https://www.mercurial-scm.org/repo/hg/rev/90a274965de7"
            },
            {
              "name": "https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29",
              "refsource": "MISC",
              "url": "https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29"
            },
            {
              "name": "[debian-lts-announce] 20200731 [SECURITY] [DLA 2293-1] mercurial security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2018-13348",
    "datePublished": "2018-07-06T00:00:00",
    "dateReserved": "2018-07-05T00:00:00",
    "dateUpdated": "2024-08-05T09:00:35.140Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2018-13346 (GCVE-0-2018-13346)

Vulnerability from cvelistv5

Published

2018-07-06 00:00

Modified

2024-08-05 09:00

Severity ?

CWE

Summary

The mpatch_apply function in mpatch.c in Mercurial before 4.6.1 incorrectly proceeds in cases where the fragment start is past the end of the original data, aka OVE-20180430-0004.

References

►

URL

Tags

	https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29	x_refsource_MISC
	https://www.mercurial-scm.org/repo/hg/rev/faa924469635	x_refsource_MISC
	https://access.redhat.com/errata/RHSA-2019:2276	vendor-advisory, x_refsource_REDHAT
	https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html	mailing-list, x_refsource_MLIST

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T09:00:35.026Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.mercurial-scm.org/repo/hg/rev/faa924469635"
          },
          {
            "name": "RHSA-2019:2276",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2276"
          },
          {
            "name": "[debian-lts-announce] 20200731 [SECURITY] [DLA 2293-1] mercurial security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2018-07-05T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The mpatch_apply function in mpatch.c in Mercurial before 4.6.1 incorrectly proceeds in cases where the fragment start is past the end of the original data, aka OVE-20180430-0004."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-07-31T12:06:07",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.mercurial-scm.org/repo/hg/rev/faa924469635"
        },
        {
          "name": "RHSA-2019:2276",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2276"
        },
        {
          "name": "[debian-lts-announce] 20200731 [SECURITY] [DLA 2293-1] mercurial security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2018-13346",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The mpatch_apply function in mpatch.c in Mercurial before 4.6.1 incorrectly proceeds in cases where the fragment start is past the end of the original data, aka OVE-20180430-0004."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29",
              "refsource": "MISC",
              "url": "https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29"
            },
            {
              "name": "https://www.mercurial-scm.org/repo/hg/rev/faa924469635",
              "refsource": "MISC",
              "url": "https://www.mercurial-scm.org/repo/hg/rev/faa924469635"
            },
            {
              "name": "RHSA-2019:2276",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2276"
            },
            {
              "name": "[debian-lts-announce] 20200731 [SECURITY] [DLA 2293-1] mercurial security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2018-13346",
    "datePublished": "2018-07-06T00:00:00",
    "dateReserved": "2018-07-05T00:00:00",
    "dateUpdated": "2024-08-05T09:00:35.026Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

suse-su-2018:1998-1

Vulnerability from csaf_suse

CVE-2018-13347 (GCVE-0-2018-13347)

Vulnerability from cvelistv5

CVE-2018-13348 (GCVE-0-2018-13348)

Vulnerability from cvelistv5

CVE-2018-13346 (GCVE-0-2018-13346)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature