Описание
In Mercurial before 4.4.1, it is possible that a specially malformed repository can cause Git subrepositories to run arbitrary code in the form of a .git/hooks/post-update script checked into the repository. Typical use of Mercurial prevents construction of such repositories, but they can be created programmatically.
It was found that mercurial was vulnerable to cross repositories modification. A specially crafted mercurial repository could trigger arbitrary commands on a client during commands such as clone or update.
Отчет
This issue affects the versions of mercurial as shipped with Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Меры по смягчению последствий
Disable sub-repositories
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | mercurial | Will not fix | ||
| Red Hat Enterprise Linux 7 | mercurial | Will not fix |
Показывать по
Дополнительная информация
Статус:
6.3 Medium
CVSS3
Связанные уязвимости
In Mercurial before 4.4.1, it is possible that a specially malformed repository can cause Git subrepositories to run arbitrary code in the form of a .git/hooks/post-update script checked into the repository. Typical use of Mercurial prevents construction of such repositories, but they can be created programmatically.
In Mercurial before 4.4.1, it is possible that a specially malformed repository can cause Git subrepositories to run arbitrary code in the form of a .git/hooks/post-update script checked into the repository. Typical use of Mercurial prevents construction of such repositories, but they can be created programmatically.
In Mercurial before 4.4.1, it is possible that a specially malformed r ...
6.3 Medium
CVSS3