Bug 1637556 (CVE-2018-17983) - CVE-2018-17983 mercurial: Out-of-bounds read in cext/manifest.c
Summary: CVE-2018-17983 mercurial: Out-of-bounds read in cext/manifest.c
Alias: CVE-2018-17983
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1637557 1637559
Blocks: 1637560
TreeView+ depends on / blocked
Reported: 2018-10-09 13:32 UTC by Andrej Nemec
Modified: 2020-04-21 10:31 UTC (History)
13 users (show)

Fixed In Version: mercurial 4.7.2
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-04-21 10:31:48 UTC

Attachments (Terms of Use)

Description Andrej Nemec 2018-10-09 13:32:52 UTC
cext/manifest.c in Mercurial before 4.7.2 has an out-of-bounds read during parsing of a malformed manifest entry.

Upstream changelog:


Upstream patch:


Comment 1 Andrej Nemec 2018-10-09 13:33:40 UTC
Created mercurial tracking bugs for this issue:

Affects: fedora-all [bug 1637557]

Comment 3 Scott Gayou 2018-10-15 19:21:43 UTC
First off, this code is in a subsystem that does not appear to be in RHEL's 2.6.2. I did find a similar pattern and investigated it for applicability though:

Presumably, the AFL issue is triggered by generating a "correct" manifest file (hashes and potentially pyobject internals would need to match I believe) with a hash that is less than 40 characters, thus potentially triggering a read past the true bounds of the buffer:

hash = unhexlify(s + llen + 1, 40);

That code is not present in the RHEL 7 version. RHEL7 has a slightly similar pattern in the above mentioned line (inside parse_manifest):

node = unhexlify(zero + 1, nlen > 40 ? 40 : (int)nlen);

This does not appear to be vulnerable as the correct length of the manifest hash length is calculated, passed to unhexlify, and not assumed to be 40. Thus, it appears that RHEL* is not affected.

Comment 4 Product Security DevOps Team 2020-04-21 10:31:48 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.