CVE-2010-4237
https://notcve.org/view.php?id=CVE-2010-4237
Mercurial before 1.6.4 fails to verify the Common Name field of SSL certificates which allows remote attackers who acquire a certificate signed by a Certificate Authority to perform a man-in-the-middle attack. Mercurial versiones anteriores a 1.6.4, no puede comprobar el campo Common Name de los certificados SSL lo que permite a atacantes remotos que adquieren un certificado firmado por una Autoridad Certificada llevar a cabo un ataque de tipo man-in-the-middle. • https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598841 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4237 https://bz.mercurial-scm.org/show_bug.cgi?id=2407 https://security-tracker.debian.org/tracker/CVE-2010-4237 • CWE-295: Improper Certificate Validation •
CVE-2019-3902
https://notcve.org/view.php?id=CVE-2019-3902
A flaw was found in Mercurial before 4.9. It was possible to use symlinks and subrepositories to defeat Mercurial's path-checking logic and write files outside a repository. Se encontró un defecto en Mercurial, en versiones anteriores a la 4.9. Era posible utilizar enlaces simbólicos y subrepositorios para acabar con la lógica de comprobación de rutas de Mercurial y escribir archivos fuera de un repositorio. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3902 https://lists.debian.org/debian-lts-announce/2019/04/msg00024.html https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html https://usn.ubuntu.com/4086-1 https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.9_.282019-02-01.29 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVE-2018-17983
https://notcve.org/view.php?id=CVE-2018-17983
cext/manifest.c in Mercurial before 4.7.2 has an out-of-bounds read during parsing of a malformed manifest entry. cext/manifest.c en Mercurial en versiones anteriores a la 4.7.2 tiene una lectura fuera de límites durante el análisis de una entrada manifest mal formada. • https://www.mercurial-scm.org/repo/hg/rev/5405cb1a7901 https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.7.2_.282018-10-01.29 • CWE-125: Out-of-bounds Read •
CVE-2018-13346 – mercurial: Missing check for fragment start position in mpatch.c:mpatch_apply()
https://notcve.org/view.php?id=CVE-2018-13346
The mpatch_apply function in mpatch.c in Mercurial before 4.6.1 incorrectly proceeds in cases where the fragment start is past the end of the original data, aka OVE-20180430-0004. La función mpatch_apply en mpatch.c en Mercurial en versiones anteriores a la 4.6.1 procede incorrectamente en casos en los que el inicio del fragmento está tras el final de los datos originales. Esto también se conoce como OVE-20180430-0004. • https://access.redhat.com/errata/RHSA-2019:2276 https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html https://www.mercurial-scm.org/repo/hg/rev/faa924469635 https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29 https://access.redhat.com/security/cve/CVE-2018-13346 https://bugzilla.redhat.com/show_bug.cgi?id=1594090 • CWE-20: Improper Input Validation CWE-125: Out-of-bounds Read •
CVE-2018-13347 – mercurial: Buffer underflow in mpatch.c:mpatch_apply()
https://notcve.org/view.php?id=CVE-2018-13347
mpatch.c in Mercurial before 4.6.1 mishandles integer addition and subtraction, aka OVE-20180430-0002. mpatch.c en Mercurial en versiones anteriores a la 4.6.1 gestiona de manera incorrecta la suma y resta de enteros. Esto también se conoce como OVE-20180430-0002. • https://access.redhat.com/errata/RHSA-2019:2276 https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html https://www.mercurial-scm.org/repo/hg-committed/log?rev=modifies%28%22mercurial%2Fmpatch.c%22%29+and+4.5%3A%3A https://www.mercurial-scm.org/repo/hg/rev/1acfc35d478c https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29 https://access.redhat.com/security/cve/CVE-2018-13347 https://bugzilla.redhat.com/show_bug.cgi?id=1594087 • CWE-190: Integer Overflow or Wraparound CWE-787: Out-of-bounds Write •