Arch Linux: ASA-201605-10 Critical: Mercurial Arbitrary Code Execution

Arch Linux Security Advisory ASA-201605-10
=========================================
Severity: Critical
Date    : 2016-05-06
CVE-ID  : CVE-2016-3105
Package : mercurial
Type    : arbitrary code execution
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package mercurial before version 3.8.1-1 is vulnerable to arbitrary
code execution.

Resolution
=========
Upgrade to 3.8.1-1.

# pacman -Syu "mercurial>=3.8.1-1"

The problem has been fixed upstream in version 3.8.

Workaround
=========
None.

Description
==========
Mercurial prior to 3.8 allowed arbitrary code execution when using the
convert extension on Git repos with hostile names. This could affect
automated code conversion services that allow arbitrary repository
names. This is a further side-effect of Git CVE-2015-7545. Reported and
fixed by Blake Burkhart.

Impact
=====
A remote attacker can execute arbitrary code on the affected host by
having a local user convert a crafted git repository.

References
=========
https://bugs.archlinux.org/task/49239
https://repo.mercurial-scm.org/hg/rev/a56296f55a5e
https://wiki.mercurial-scm.org/WhatsNew
https://access.redhat.com/security/cve/CVE-2016-3105