CVE-2017-17458

Published: 07 December 2017

In Mercurial before 4.4.1, it is possible that a specially malformed repository can cause Git subrepositories to run arbitrary code in the form of a .git/hooks/post-update script checked into the repository. Typical use of Mercurial prevents construction of such repositories, but they can be created programmatically.

From the Ubuntu security team

It was discovered that Mercurial incorrectly handled malformed repositories. An attacker could possibly use this issue to execute arbitrary code.

Priority

Medium

CVSS 3 base score: 9.8

Status

Package Release Status
mercurial
Launchpad, Ubuntu, Debian
Upstream
Released (4.4.1-1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable

Ubuntu 16.04 LTS (Xenial Xerus)
Released (3.7.3-1ubuntu1.1)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (2.8.2-1ubuntu1.4)