#21401 closed enhancement (fixed)
mercurial-7.0.1
| Reported by: | Bruce Dubbs | Owned by: | Bruce Dubbs |
|---|---|---|---|
| Priority: | elevated | Milestone: | 12.4 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description ¶
New point version.
Change History (4)
comment:1 by , 13 days ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 13 days ago
comment:3 by , 13 days ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Fixed at commits
eb1816ea64 Update to mercurial-7.0.1. 4de65a15ce Update to soundtouch-2.4.0.
comment:4 by , 13 days ago
| Priority: | normal → elevated |
|---|
Bruce asked me to look into this, so I've done some research on it
The version that Mercurial used to bundle was python-zstandard-0.13.0, which bundled zstd-1.4.4 from 2019.
In zstd-1.4.10, CVE-2022-4899 was fixed - a high severity vulnerability that presents a trivial buffer overrun.
The description from upstream: "A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun." - marked at 7.5 High
CVE-2021-24032 was also fixed here, which was rated as Low by Red Hat but has the description of "A flaw was found in zstd. While the final file mode is reflective of the input file, when compressing or uncompressing, the file can temporarily gain greater permissions than the input and potentially leading to security issues (especially if large files are being handled)."
Mercurial 7.0.1
This upgrade is long overdue and fixes a security vulnerability transitive from zstd itself.