SB2019080615 - Red Hat update for mercurial

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Buffer overflow (CVE-ID: CVE-2018-13346)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to boundary error when the mpatch_apply function in mpatch.c incorrectly proceeds in cases where the fragment start is past the end of the original data. A remote unauthenticated attacker can supply specially crafted input, trigger memory corruption and cause the service to crash.

2) Integer overflow (CVE-ID: CVE-2018-13347)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to integer overflow when the mpatch_decode function in mpatch.c mishandles certain situations where there should be at least 12 bytes remaining after the current position in the patch data, but actually are not. A remote unauthenticated attacker can supply specially crafted input, trigger memory corruption and cause the service to crash.

3) Information disclosure (CVE-ID: CVE-2018-1000132)

The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists due to improper access control. A remote attacker can gain access to potentially sensitive information.

Remediation

Install update from vendor's website.

References

• https://access.redhat.com/errata/RHSA-2019:2276