It was reported that in mercurial, there is similar vulnerability as CVE-2015-7545 in git. Git's git-remote-ext remote helper provides an ext:: URL scheme that allows running arbitrary shell commands. Mercurial allows specifying git repositories as subrepositories. Git ext:: URLs can be specified as Mercurial subrepositories allowing arbitrary shell commands to be run on `hg clone ...`.
Acknowledgments: Name: Blake Burkhart
*** Bug 1322266 has been marked as a duplicate of this bug. ***
External references: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.7.3_.282016-3-29.29 Upstream fix: https://selenic.com/repo/hg-stable/rev/34d43cb85de8
Created mercurial tracking bugs for this issue: Affects: fedora-all [bug 1323599]
Support for git subrepos was introduced upstream in mercurial version 1.8: https://www.mercurial-scm.org/wiki/WhatsNew/Archive#Mercurial_1.8_.282011-03-01.29 Therefore, mercurial packages in Red Hat Enterprise Linux 6 based on upstream version 1.4 were not affected by this issue.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:0706 https://rhn.redhat.com/errata/RHSA-2016-0706.html