CVE-2017-9462

Published: 06 June 2017

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger as a repository name.

From the Ubuntu security team

It was discovered that Mercurial incorrectly handled repository names. An attacker could possibly use this issue to execute arbitrary code.

Priority

Medium

CVSS 3 base score: 8.8

Status

Package Release Status
mercurial
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable

Ubuntu 16.04 LTS (Xenial Xerus)
Released (3.7.3-1ubuntu1.1)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (2.8.2-1ubuntu1.4)
Patches:
Upstream: https://www.mercurial-scm.org/repo/hg/rev/77eaf9539499