[arch-security] [ASA-201605-10] mercurial: arbitrary code execution
rgacogne at archlinux.org
Fri May 6 21:56:08 UTC 2016
Arch Linux Security Advisory ASA-201605-10
Date : 2016-05-06
CVE-ID : CVE-2016-3105
Package : mercurial
Type : arbitrary code execution
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
The package mercurial before version 3.8.1-1 is vulnerable to arbitrary
Upgrade to 3.8.1-1.
# pacman -Syu "mercurial>=3.8.1-1"
The problem has been fixed upstream in version 3.8.
Mercurial prior to 3.8 allowed arbitrary code execution when using the
convert extension on Git repos with hostile names. This could affect
automated code conversion services that allow arbitrary repository
names. This is a further side-effect of Git CVE-2015-7545. Reported and
fixed by Blake Burkhart.
A remote attacker can execute arbitrary code on the affected host by
having a local user convert a crafted git repository.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 801 bytes
Desc: OpenPGP digital signature
More information about the arch-security