It was reported that Convert extension in mercurial is vulnerable to command execution.
Incorrect handling of command line parameters allows passing a full Git remote URL via a directory name. The Git ext:: URL scheme can be used to obtain arbitrary command execution.
Furthermore, lack of escaping of shell metacharacters allows arbitrary command injection, which is another way of exploiting the vulnerable code.
Name: Blake Burkhart
*** Bug 1322267 has been marked as a duplicate of this bug. ***
Created mercurial tracking bugs for this issue:
Affects: fedora-all [bug 1323600]
This flaw is triggered by a malicious git repository name, when such repository is converted to mercurial repository.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2016:0706 https://rhn.redhat.com/errata/RHSA-2016-0706.html