Bug 1322089

Summary: CVE-2016-3630 mercurial remote code execution in binary delta decoding
Product: [Fedora] Fedora Reporter: Sitsofe Wheeler <sitsofe>
Component: mercurialAssignee: Neal Becker <ndbecker2>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 23CC: mads, ndbecker2, pstodulk
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-04-04 12:44:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sitsofe Wheeler 2016-03-29 19:02:38 UTC 
Description of problem:
Fedora ships with Mercurial 3.5.1-1 but allegedly three CVEs are only fixed in 3.7.3.

Version-Release number of selected component (if applicable):
3.5.1-1

How reproducible:
Reproducible every time?

Steps to Reproduce:
1. Browse to the Mercurial release notes on https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.7.3_.282016-3-29.29 .
2. Read about CVEs.
3. Wonder if the Mercurial in Fedora is susceptible to the CVEs.

Actual results:
Read the following:
CVE-2016-3630 Mercurial: remote code execution in binary delta decoding

Mercurial prior to 3.7.3 contained two bounds-checking errors in its binary delta decoder that may be exploitable via clone, push, or pull.
CVE-2016-3068 Mercurial: arbitrary code execution with Git subrepos

Mercurial prior to 3.7.3 allowed URLs for Git subrepos that could result in arbitrary code execution on clone. This is a further side-effect of Git CVE-2015-7545. Reported by Blake Burkhart.
CVE-2016-3069 Mercurial: arbitrary code execution when converting Git repos

Mercurial prior to 3.7.3 allowed arbitrary code execution when converting Git repos with hostile names. This could affect automated conversion services. Reported by Blake Burkhart.

Start panicking?

Expected results:
Calm because the problem doesn't affect Fedora or is scheduled to be fixed.

Additional info:
I can't find any reference to these CVEs anywhere other than the aforementioned wiki page. Perhaps it's a hoax? Information appears to be public so I'm not marking this bug as private.
Comment 1 Sitsofe Wheeler 2016-03-29 21:42:47 UTC 
https://security-tracker.debian.org/tracker/CVE-2016-3068 seems to suggest this is real and https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1408582.html suugests it affects mercurial versions going back to 0.6...
Comment 2 Sitsofe Wheeler 2016-03-30 12:58:17 UTC 
It looks like this might be better handled by #1322268 ...
Comment 3 Sitsofe Wheeler 2016-04-04 12:44:53 UTC 

*** This bug has been marked as a duplicate of bug 1322268 ***