A flaw was found in Mercurial before 4.9. It was possible to use symlinks and subrepositories to defeat Mercurial's path-checking logic and write files outside a repository.
Created mercurial tracking bugs for this issue:
Affects: fedora-all [bug 1696026]
This issue affects the versions of mercurial as shipped with Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having a security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
List of patches:
Starting with version 1.5.3 Mercurial allow environment variable expansion on path names for subrepositories
when creating it or cloning a parent repository, but it doesn't validate whether the final path name outside the repository root directory.
An attacker can leverage this weakness using a combination of symbolic links and environment variables to craft
a tampered repository, leading Mercurial to write files outside the repository as long the destination location
This issue affects Mercurial version from 1.5.3 up to 4.8.2.
Tower users have already restricted permissions by bubblewrap which will mitigate this attack. Tower is not affected by this issue as bubblewrap is enabled by default.
Mercurial is not used in Openshift Online, so Openshift Online is not affected by this issue.