It was reported that in mercurial, there is similar vulnerability as CVE-2015-7545 in git. Git's git-remote-ext remote helper provides an ext:: URL scheme that allows running arbitrary shell commands. Mercurial allows specifying git repositories as subrepositories. Git ext:: URLs can be specified as Mercurial subrepositories allowing arbitrary shell commands to be run on `hg clone ...`.
Name: Blake Burkhart
*** Bug 1322266 has been marked as a duplicate of this bug. ***
Created mercurial tracking bugs for this issue:
Affects: fedora-all [bug 1323599]
Support for git subrepos was introduced upstream in mercurial version 1.8:
Therefore, mercurial packages in Red Hat Enterprise Linux 6 based on upstream version 1.4 were not affected by this issue.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2016:0706 https://rhn.redhat.com/errata/RHSA-2016-0706.html