Upstream information

CVE-2016-3630 at MITRE

Description

The binary delta decoder in Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a (1) clone, (2) push, or (3) pull command, related to (a) a list sizing rounding error and (b) short records.

SUSE information

CVSS v2 Scores
  National Vulnerability Database
Base Score 6.82
Vector AV:N/AC:M/Au:N/C:P/I:P/A:P
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial
CVSS v3 Scores
  National Vulnerability Database
Base Score 8.8
Vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Access Vector Network
Access Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality Impact High
Integrity Impact High
Availability Impact High
SUSE Bugzilla entry: 973175 [RESOLVED / FIXED]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
SUSE Linux Enterprise Software Development Kit 11 SP4
  • mercurial >= 2.3.2-0.11.1
Patchnames:
sdksp4-mercurial-12505
SUSE Linux Enterprise Software Development Kit 12
  • mercurial >= 2.8.2-6.1
Patchnames:
SUSE-SLE-SDK-12-2016-596
SUSE Linux Enterprise Software Development Kit 12 SP1
  • mercurial >= 2.8.2-6.1
Patchnames:
SUSE-SLE-SDK-12-SP1-2016-596
SUSE Linux Enterprise Software Development Kit 12 SP2
  • mercurial >= 2.8.2-9.1
Patchnames:
SUSE Linux Enterprise Software Development Kit 12 SP2 GA mercurial
openSUSE 13.2
  • mercurial >= 3.1.2-7.1
  • mercurial-debuginfo >= 3.1.2-7.1
  • mercurial-debugsource >= 3.1.2-7.1
  • mercurial-lang >= 3.1.2-7.1
Patchnames:
openSUSE-2016-452
openSUSE Leap 42.1
  • mercurial >= 3.5.1-3.1
  • mercurial-debuginfo >= 3.5.1-3.1
  • mercurial-debugsource >= 3.5.1-3.1
  • mercurial-lang >= 3.5.1-3.1
Patchnames:
openSUSE-2016-467
openSUSE Leap 42.2
  • mercurial >= 3.8.3-1.15
  • mercurial-lang >= 3.8.3-1.15
Patchnames:
openSUSE Leap 42.2 GA mercurial
openSUSE Tumbleweed
  • mercurial >= 4.0-1.1
  • mercurial-lang >= 4.0-1.1
Patchnames:
openSUSE Tumbleweed GA mercurial