mercurial-2.6.2-10.el7

Mercurial is a fast, lightweight source control management system designed for efficient handling of very large distributed projects.

Security Fix(es):

* mercurial: Buffer underflow in mpatch.c:mpatch_apply() (CVE-2018-13347)

* mercurial: HTTP server permissions bypass (CVE-2018-1000132)

* mercurial: Missing check for fragment start position in mpatch.c:mpatch_apply() (CVE-2018-13346)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2018-1000132
Mercurial version 4.5 and earlier contains a Incorrect Access Control (CWE-285) vulnerability in Protocol server that can result in Unauthorized data access. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in 4.5.1.
CVE-2018-13346
The mpatch_apply function in mpatch.c in Mercurial before 4.6.1 incorrectly proceeds in cases where the fragment start is past the end of the original data, aka OVE-20180430-0004.
CVE-2018-13347
mpatch.c in Mercurial before 4.6.1 mishandles integer addition and subtraction, aka OVE-20180430-0002.