[arch-security] [ASA-201605-10] mercurial: arbitrary code execution

Remi Gacogne rgacogne at archlinux.org
Fri May 6 21:56:08 UTC 2016


Arch Linux Security Advisory ASA-201605-10
==========================================

Severity: Critical
Date    : 2016-05-06
CVE-ID  : CVE-2016-3105
Package : mercurial
Type    : arbitrary code execution
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package mercurial before version 3.8.1-1 is vulnerable to arbitrary
code execution.

Resolution
==========

Upgrade to 3.8.1-1.

# pacman -Syu "mercurial>=3.8.1-1"

The problem has been fixed upstream in version 3.8.

Workaround
==========

None.

Description
===========

Mercurial prior to 3.8 allowed arbitrary code execution when using the
convert extension on Git repos with hostile names. This could affect
automated code conversion services that allow arbitrary repository
names. This is a further side-effect of Git CVE-2015-7545. Reported and
fixed by Blake Burkhart.

Impact
======

A remote attacker can execute arbitrary code on the affected host by
having a local user convert a crafted git repository.

References
==========

https://bugs.archlinux.org/task/49239
https://selenic.com/hg/rev/a56296f55a5e
https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.8_.2F_3.8.1_.282016-5-1.29
https://access.redhat.com/security/cve/CVE-2016-3105

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20160506/2d79b95f/attachment.asc>


More information about the arch-security mailing list