ArchLinux: 201605-10: mercurial: arbitrary code execution
Summary
Mercurial prior to 3.8 allowed arbitrary code execution when using the convert extension on Git repos with hostile names. This could affect automated code conversion services that allow arbitrary repository names. This is a further side-effect of Git CVE-2015-7545. Reported and fixed by Blake Burkhart.
Resolution
Upgrade to 3.8.1-1.
# pacman -Syu "mercurial>=3.8.1-1"
The problem has been fixed upstream in version 3.8.
References
https://bugs.archlinux.org/task/49239 https://repo.mercurial-scm.org/hg/rev/a56296f55a5e https://wiki.mercurial-scm.org/WhatsNew https://access.redhat.com/security/cve/CVE-2016-3105
Workaround
None.