cext/manifest.c in Mercurial before 4.7.2 has an out-of-bounds read during parsing of a malformed manifest entry. Upstream changelog: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.7.2_.282018-10-01.29 Upstream patch: https://www.mercurial-scm.org/repo/hg/rev/5405cb1a7901
Created mercurial tracking bugs for this issue: Affects: fedora-all [bug 1637557]
First off, this code is in a subsystem that does not appear to be in RHEL's 2.6.2. I did find a similar pattern and investigated it for applicability though: Presumably, the AFL issue is triggered by generating a "correct" manifest file (hashes and potentially pyobject internals would need to match I believe) with a hash that is less than 40 characters, thus potentially triggering a read past the true bounds of the buffer: ```c hash = unhexlify(s + llen + 1, 40); ``` That code is not present in the RHEL 7 version. RHEL7 has a slightly similar pattern in the above mentioned line (inside parse_manifest): ```c node = unhexlify(zero + 1, nlen > 40 ? 40 : (int)nlen); ``` This does not appear to be vulnerable as the correct length of the manifest hash length is calculated, passed to unhexlify, and not assumed to be 40. Thus, it appears that RHEL* is not affected.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-17983