A vulnerability in Mercurial's handling of subrepositories was reported on the Mercurial Project's *public* bug tracker. The vulnerability results in arbitrary code execution during `hg clone` or `hg pull` + `hg update` if a well-crafted repository is cloned or pulled from. The vulnerability is known to occur with Git subrepositories. But it can also possibly occur with other subrepository types. The vulnerability likely impacts Mercurial versions released for the past several years.
External References: https://bz.mercurial-scm.org/show_bug.cgi?id=5730
Created mercurial tracking bugs for this issue: Affects: fedora-all [bug 1509869]
The fix consists of 2 distinct parts : - prevents a mercurial sub-repository to cross another sub-repository - disables sub-repositories by default. Relevant patches : - tests: show symlink traversal across subrepo mount point (SEC) https://www.mercurial-scm.org/repo/hg/rev/80d7dbda9294 - subrepo: disallow symlink traversal across subrepo mount point (SEC) https://www.mercurial-scm.org/repo/hg/rev/5e27afeddaee - subrepo: add config option to reject any subrepo operations (SEC) https://www.mercurial-scm.org/repo/hg/rev/5e27afeddaee - subrepo: extend config option to disable subrepos by type (SEC) https://www.mercurial-scm.org/repo/hg/rev/828cf35f1de6 - subrepo: disable git and svn subrepos by default (BC) (SEC) https://www.mercurial-scm.org/repo/hg/rev/846942fd6d15
Statement: This issue affects the versions of mercurial as shipped with Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Mitigation: Disable sub-repositories