mercurial@2.9.1 vulnerabilities

mercurial is a distributed SCM tool written in Python.

Affected versions of this package are vulnerable to Integer Overflow or Wraparound. mpatch.c in Mercurial mishandles integer addition and subtraction.

Upgrade mercurial to version 4.6.1 or higher.

mercurial is a distributed SCM tool written in Python.

Affected versions of this package are vulnerable to Arbitrary Code Execution. It is possible that a specially malformed repository can cause Git subrepositories to run arbitrary code in the form of a .git/hooks/post-update script checked into the repository. Typical use of Mercurial prevents construction of such repositories, but they can be created programmatically.

Upgrade mercurial to version 4.4.1 or higher.

mercurial is a distributed SCM tool written in Python.

Affected versions of this package are vulnerable to Improper Input Validation. Mercurial was not sanitizing hostnames passed to ssh, allowing shell injection attacks on clients by specifying a hostname starting with -oProxyCommand.

Upgrade mercurial to version 4.3 or higher.

mercurial is a distributed SCM tool written in Python.

Affected versions of this package are vulnerable to Access Restriction Bypass. Mercurial is vulnerable to a missing symlink check that can allow malicious repositories to modify files outside the repository.

Upgrade mercurial to version 4.3 or higher.

mercurial is a distributed SCM tool written in Python.

Affected versions of this package are vulnerable to Integer Overflow or Wraparound. The mpatch_decode function in mpatch.c in Mercurial mishandles certain situations where there should be at least 12 bytes remaining after the current position in the patch data, but actually are not.

Upgrade mercurial to version 4.6.1 or higher.

mercurial is a distributed SCM tool written in Python.

Affected versions of this package are vulnerable to Out-of-bounds Read. cext/manifest.c in Mercurial before 4.7.2 has an out-of-bounds read during parsing of a malformed manifest entry.

Upgrade mercurial to version 4.7.2 or higher.

mercurial is a distributed SCM tool written in Python.

Affected versions of this package are vulnerable to Arbitrary File Overwrite. It is possible to use symlinks and subrepositories to defeat Mercurial's path-checking logic and write files outside of a repository.

Upgrade mercurial to version 4.9 or higher.

mercurial Fast scalable distributed SCM (revision control, version control) system

Affected versions of this package are vulnerable to Arbitrary code Execution. The hg serve --stdio command allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger flag as a repository name.

Upgrade mercurial to version 4.1.3 or higher.

Mercurial is a distributed SCM tool.

Affected versions of this package are vulnerable to HTTP Permission Bypass, which may allow an attacker to perform writes on repositories that should be read-only, or reads on repositories that shouldn't allow read access.

Upgrade mercurial to version 4.5.2 or higher.

mercurial is a Fast scalable distributed SCM (revision control, version control) system The convert extension in Mercurial before 3.8 might allow context-dependent attackers to execute arbitrary code via a crafted git repository name.

mercurial is a Fast scalable distributed SCM (revision control, version control) system Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted name when converting a Git repository.

mercurial is a Fast scalable distributed SCM (revision control, version control) system Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted git ext:: URL when cloning a subrepository.

mercurial is a Fast scalable distributed SCM (revision control, version control) system mercurial has two bound-checking errors in binary delta decoding. Those errors allow malicious users to launch remote code execution attacks.