CVE-2018-13348
Publication date 6 July 2018
Last updated 25 August 2025
Ubuntu priority
Description
The mpatch_decode function in mpatch.c in Mercurial before 4.6.1 mishandles certain situations where there should be at least 12 bytes remaining after the current position in the patch data, but actually are not, aka OVE-20180430-0001.
From the Ubuntu Security Team
It was discovered that Mercurial incorrectly handled certain patch data. An attacker could possibly use this issue to cause a denial of service or other unspecified impact.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| mercurial | ||
| 18.04 LTS bionic |
Fixed 4.5.3-1ubuntu2.1
|
|
| 16.04 LTS xenial |
Fixed 3.7.3-1ubuntu1.1
|
|
| 14.04 LTS trusty |
Fixed 2.8.2-1ubuntu1.4
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.5 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | High |
| Availability impact | None |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |