CVE-2018-13348: Mercurial Improper Input Validation vulnerability

May 13, 2022 (updated September 25, 2024)

The mpatch_decode function in mpatch.c in Mercurial before 4.6.1 mishandles certain situations where there should be at least 12 bytes remaining after the current position in the patch data, but actually are not, aka OVE-20180430-0001.

References

github.com/advisories/GHSA-3v62-ww8w-758m
github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2018-90.yaml
lists.debian.org/debian-lts-announce/2020/07/msg00032.html
nvd.nist.gov/vuln/detail/CVE-2018-13348
www.mercurial-scm.org/repo/hg/rev/90a274965de7
www.mercurial-scm.org/wiki/WhatsNew

Code Behaviors & Features

Detect and mitigate CVE-2018-13348 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →