Mercurial clients sometimes connect to URLs provided by the repository, as subrepositories, via the .hgsub file.
A maliciously constructed ssh:// URL would cause Mercurial clients to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious user committing to a honest server (to attack another user of that server's repositories), or by a proxy server.
The vulnerability affects all clients, including those that use file://, http://, and ssh://.
Name: the Subversion Team
Created mercurial tracking bugs for this issue:
Affects: fedora-all [bug 1480455]
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2017:2489 https://access.redhat.com/errata/RHSA-2017:2489