Mercurial prior to 3.7.3 contained two bounds-checking errors in its binary delta decoder that may be exploitable via clone, push, or pull.
Created mercurial tracking bugs for this issue:
Affects: fedora-all [bug 1322268]
mercurial-3.5.2-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
mercurial-3.5.2-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
There are two problems in the decode() function, each addressed by one of the patches above:
- frag list array l may be allocated to size that is 1 less than the number of items that will be written to
- negative frag data length values are not handled correctly, leading to incorrect update of pointer to the parsed data buffer
Both of these issue lead to buffer overflow.
These problems were introduced in this commit:
The mercurial versions in Red Hat Enterprise Linux 6 and 7 do not include that change and hence are not affected by this issue.