A possible arbitrary code execution when converting Git repos was found in Mercirual. Mercurial prior to 3.8 allowed arbitrary code execution when using the convert extension on Git repos with hostile names. This could affect automated code conversion services that allow arbitrary repository names. This is a further side-effect of Git CVE-2015-7545. External Reference: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.8_.2F_3.8.1_.282016-5-1.29 Upstream fix: https://selenic.com/hg/rev/a56296f55a5e
Created mercurial tracking bugs for this issue: Affects: fedora-all [bug 1332946]