Published: 13 April 2016
The binary delta decoder in Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a (1) clone, (2) push, or (3) pull command, related to (a) a list sizing rounding error and (b) short records.
From the Ubuntu security team
It was discovered that Mercurial incorrectly handled delta decoding. An attacker could possibly use this issue to execute arbitrary code.
CVSS 3 base score: 8.8
- https://selenic.com/repo/hg-stable/rev/b6ed2505d6cf (1/2)
- https://selenic.com/repo/hg-stable/rev/b9714d958e89 (2/2)