A possible arbitrary code execution when converting Git repos was found in Mercirual. Mercurial prior to 3.8 allowed arbitrary code execution when using the convert extension on Git repos with hostile names. This could affect automated code conversion services that allow arbitrary repository names. This is a further side-effect of Git CVE-2015-7545.
Created mercurial tracking bugs for this issue:
Affects: fedora-all [bug 1332946]