CVE-2017-1000116

Name of the Vulnerable Software and Affected Versions Mercurial versions prior to 4.3 git-annex versions prior to 6.20170818

Description The issue is related to inadequate sanitization of hostnames passed to ssh, leading to possible shell-injection attacks. This could allow a remote attacker to execute arbitrary commands on the operating system. The vulnerability can be exploited by tricking the victim into adding a remote repository with a malicious SSH hostname, such as ssh://-eProxyCommand=evil/blah. The attacker could also use initremote with an SSH remote to embed the malicious URL in the git-annex branch.

Recommendations For Mercurial versions prior to 4.3, update to version 4.3 or later to resolve the issue. For git-annex versions prior to 6.20170818, update to version 6.20170818 or later to resolve the issue. As a temporary workaround, consider restricting the use of SSH hostnames to trusted sources until a patch is available. Avoid using malicious SSH hostnames, such as those starting with a dash, to prevent arbitrary local code execution.