[3.1] mercurial: arbitrary code execution when converting git repos (CVE-2016-3105)
A possible arbitrary code execution when converting Git repos was found
in Mercirual.
Mercurial prior to 3.8 allowed arbitrary code execution when using the
convert extension on Git
repos with hostile names. This could affect automated code conversion
services that allow arbitrary
repository names. This is a further side-effect of Git CVE-2015-7545.
References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3105
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2016-3105
fix:
https://selenic.com/hg/rev/a56296f55a5e
(from redmine: issue id 5575, created on 2016-05-16, closed on 2016-06-21)
- Relations:
- parent #5572 (closed)