Candidate: CVE-2018-13348
PublicDate: 2018-07-06 00:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13348
 https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29
 https://www.mercurial-scm.org/repo/hg/rev/90a274965de7
Description:
 The mpatch_decode function in mpatch.c in Mercurial before 4.6.1 mishandles
 certain situations where there should be at least 12 bytes remaining after
 the current position in the patch data, but actually are not, aka
 OVE-20180430-0001.
Ubuntu-Description:
 It was discovered that Mercurial incorrectly handled certain patch data.
 An attacker could possibly use this issue to cause a denial of service or
 other unspecified impact.
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901050
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N [7.5 HIGH]


Patches_mercurial:
upstream_mercurial: released (4.6.1-1)
precise/esm_mercurial: DNE
trusty_mercurial: released (2.8.2-1ubuntu1.4)
trusty/esm_mercurial: released (2.8.2-1ubuntu1.4)
xenial_mercurial: released (3.7.3-1ubuntu1.1)
artful_mercurial: ignored (reached end-of-life)
bionic_mercurial: released (4.5.3-1ubuntu2.1)
cosmic_mercurial: not-affected (4.6.1-1ubuntu1)
devel_mercurial: not-affected (4.6.1-1ubuntu1)