@bburky reported a remote code execution vulnerability in Mercurial that could be triggered during repository imports using GitHub Importer.

Git allows shell commands to be specified in ext URLs for remote repositories. For example, git clone 'ext::sh -c whoami% >&2' will execute the whoami command to try to connect to a remote repository. To protect users from accidentally trying to clone a malicious URL, Git submodule URLs were restricted to a safe set of protocols in Git v2.6.1.

However, Mercurial allows Git subrepositories and was not validating the protocol before attempting to clone them. This could have allowed an attacker to specify arbitrary shell commands to be run when cloning subrepositories in a Mercurial repository. This vulnerability has been assigned CVE-2016-3068 and was fixed in Mercurial 3.7.3.

GitHub Importer allows users to import repositories to GitHub from other version control systems, including Mercurial. By importing a Mercurial repository with malicious Git subrepository URLs, an attacker could have run arbitrary commands on GitHub servers.

We made several changes to mitigate this vulnerability. We disabled the remote-ext and and remote-fd helpers in our build of Git. We also started setting the GIT_ALLOW_PROTOCOL environment variable in GitHub Importer to whitelist a safe set of protocols for Git to use. GitHub Importer also no longer fetches Mercurial subrepositories during imports.

This vulnerability cannot be triggered in GitHub Enterprise because GitHub Importer is not present. Mercurial users should protect themselves by updating to Mercurial 3.7.3.