Mercurial clients sometimes connect to URLs provided by the repository, as subrepositories, via the .hgsub file. A maliciously constructed ssh:// URL would cause Mercurial clients to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious user committing to a honest server (to attack another user of that server's repositories), or by a proxy server. The vulnerability affects all clients, including those that use file://, http://, and ssh://.
Acknowledgments: Name: the Subversion Team
External References: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.3_.2F_4.3.1_.282017-08-10.29
Created mercurial tracking bugs for this issue: Affects: fedora-all [bug 1480455]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2489 https://access.redhat.com/errata/RHSA-2017:2489