From f9099deb8ed18935b993b90c769af3f55bfcbb00 Mon Sep 17 00:00:00 2001
From: Graham Christensen <graham@grahamc.com>
Date: Thu, 7 Apr 2016 21:24:49 -0500
Subject: [PATCH] mercurial: 3.7.1 -> 3.7.3 for multiple CVEs

CVE-2016-3068

    Blake Burkhart discovered that Mercurial allows URLs for Git
    subrepositories that could result in arbitrary code execution on
    clone.

CVE-2016-3069

    Blake Burkhart discovered that Mercurial allows arbitrary code
    execution when converting Git repositories with specially
    crafted names.

CVE-2016-3630

    It was discovered that Mercurial does not properly perform bounds-
    checking in its binary delta decoder, which may be exploitable for
    remote code execution via clone, push or pull.
---
 pkgs/applications/version-management/mercurial/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/applications/version-management/mercurial/default.nix b/pkgs/applications/version-management/mercurial/default.nix
index b99727b2c9b6..f44baad4715b 100644
--- a/pkgs/applications/version-management/mercurial/default.nix
+++ b/pkgs/applications/version-management/mercurial/default.nix
@@ -3,7 +3,7 @@
 , ApplicationServices, cf-private }:
 
 let
-  version = "3.7.1";
+  version = "3.7.3";
   name = "mercurial-${version}";
 in
 
@@ -12,7 +12,7 @@ stdenv.mkDerivation {
 
   src = fetchurl {
     url = "http://mercurial.selenic.com/release/${name}.tar.gz";
-    sha256 = "1vfgqlb8z2k1vcx2nvcianxmml79cqqqncchw6aj40sa8hgpvlwn";
+    sha256 = "0c2vkad9piqkggyk8y310rf619qgdfcwswnk3nv21mg2fhnw96f0";
   };
 
   inherit python; # pass it so that the same version can be used in hg2git