It was reported that in mercurial, there is similar vulnerability as
CVE-2015-7545 in git. Git's git-remote-ext remote helper provides an
ext:: URL scheme that allows running arbitrary shell commands. Mercurial
allows specifying git repositories as subrepositories. Git ext:: URLs
can be specified as Mercurial subrepositories allowing arbitrary shell
commands to be run on
It was reported that Convert extension in mercurial is vulnerable to command execution. Incorrect handling of command line parameters allows passing a full Git remote URL via a directory name. The Git ext:: URL scheme can be used to obtain arbitrary command execution. Furthermore, lack of escaping of shell metacharacters allows arbitrary command injection, which is another way of exploiting the vulnerable code.
Two bounds-checking errors have been discovered in the binary delta decoder that may be exploitable via clone, push, or pull leading to arbitrary code execution.