It was reported that Convert extension in mercurial is vulnerable to command execution. Vulnerable code: https://selenic.com/hg/file/28575/hgext/convert/git.py#l346 Incorrect handling of command line parameters allows passing a full Git remote URL via a directory name. The Git ext:: URL scheme can be used to obtain arbitrary command execution. Furthermore, lack of escaping of shell metacharacters allows arbitrary command injection, which is another way of exploiting the vulnerable code.
Acknowledgments: Name: Blake Burkhart
*** Bug 1322267 has been marked as a duplicate of this bug. ***
External references: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.7.3_.282016-3-29.29 Upstream fixes: https://selenic.com/repo/hg-stable/rev/197eed39e3d5 https://selenic.com/repo/hg-stable/rev/cdda7b96afff https://selenic.com/repo/hg-stable/rev/b732e7f2aba4 https://selenic.com/repo/hg-stable/rev/80cac1de6aea https://selenic.com/repo/hg-stable/rev/ae279d4a19e9
Created mercurial tracking bugs for this issue: Affects: fedora-all [bug 1323600]
This flaw is triggered by a malicious git repository name, when such repository is converted to mercurial repository.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:0706 https://rhn.redhat.com/errata/RHSA-2016-0706.html