Security releases for Git, Mercurial, and Subversion

Gregory Szorc gps at
Thu Aug 10 19:10:25 UTC 2017

Git, Mercurial, and Subversion just had a coordinated release to mitigate a
security vulnerability regarding the parsing of ssh:// URLs. Essentially,
well-crafted ssh:// URLs (e.g. in a subrepo, submodule, or svn:externals
references) could lead to local code execution. If you run a command like
`git clone --recurse-submodules` or `hg pull --update` and nefarious data
is received, you could be p0wned.

This is tracked in at least CVE-2017-1000116 and CVE-2017-1000117.

In addition, Mercurial issued a security fix for symlink handling that
could result in arbitrary filesystem write (attempts) for well-crafted
symlinks. This is CVE-2017-1000115.

You should upgrade your version control clients ASAP to eliminate exposure
to these bugs. Until you do, be extra cognizant where you pull from -
especially any operation related to subrepos/submodules.

As of today, is now configured to not allow subrepos and
symlinks on non-user repos. The main Firefox repos have been audited and no
"bad" data is present. So, the canonical Firefox repos cannot be used as a
delivery vehicle for these exploits. I anticipate popular hosting services
like GitHub and Bitbucket will take similar actions and make similar

Critical version control infrastructure like and Autoland
has been patched for several days courtesy of responsible early disclosure
of the vulnerabilities and fixes from the Mercurial Project.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the firefox-dev mailing list