Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2017-17458

In Mercurial before 4.4.1, it is possible that a specially malformed repository can cause Git subrepositories to run arbitrary code in the form of a .git/hooks/post-update script checked into the repository. Typical use of Mercurial prevents construction of such repositories, but they can be created programmatically.

Related bugs and status

CVE-2017-17458 (Candidate) is related to these bugs:

Bug #1759366: Multiple Mercurial CVEs have been announced

		In	Importance	Status
1759366	Multiple Mercurial CVEs have been announced	mercurial (Ubuntu)	High	Fix Released
1759366	Multiple Mercurial CVEs have been announced	mercurial (Ubuntu Xenial)	High	Confirmed
1759366	Multiple Mercurial CVEs have been announced	mercurial (Ubuntu Trusty)	High	Confirmed

See the

CVE page on Mitre.org for more details.

References

MISC: https://bz.mercurial-s...
MISC: https://www.mercurial-...
MISC: https://www.mercurial-...
CONFIRM: https://confluence.atl...
MLIST: [debian-lts-announce] ...
BID: 102926
MLIST: [debian-lts-announce] ...
MLIST: [debian-lts-announce] ...
MLIST: [debian-lts-announce] ...