Fluid Attacks Database

Description

Mercurial arbitrary code execution vulnerability The binary delta decoder in Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a (1) clone, (2) push, or (3) pull command, related to (a) a list sizing rounding error and (b) short records.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	mercurial	>=0 <3.7.3	3.7.3
debian 12	mercurial	>=0 <3.7.3-1	3.7.3-1
debian 14	mercurial	>=0 <3.7.3-1	3.7.3-1
debian 11	mercurial	>=0 <3.7.3-1	3.7.3-1
debian 13	mercurial	>=0 <3.7.3-1	3.7.3-1

Aliases

1. CVE-2016-36302. NVD-2016-36303. OSV-2016-36304. OSV-DEBIAN-2016-36305. GCVE-2016-36306. security.gentoo.org7. SECURITY-TRACKER-CVE-2016-3630

References

1. https://github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2016-29.yaml2. https://selenic.com/repo/hg-stable/rev/b6ed2505d6cf3. https://selenic.com/repo/hg-stable/rev/b9714d958e894. https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.7.3_.282016-3-29.295. http://lists.fedoraproject.org/pipermail/package-announce/2016-April/181505.html6. http://lists.fedoraproject.org/pipermail/package-announce/2016-April/181542.html7. http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00016.html8. http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00017.html9. http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00018.html10. http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00043.html11. http://www.debian.org/security/2016/dsa-354212. http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.