Mercurial: arbitrary command execution in mercurial repositories with a git submodule - CVE-2017-17458

The embedded version of Mercurial used in Sourcetree for macOS was vulnerable to CVE-2017-17458. An attacker can exploit this issue if they can commit to a Mercurial repository linked in Sourcetree for macOS by adding a git subrepository specifying arbitrary code in the form of a .git/hooks/post-update script, allowing the attacker to execute arbitrary code on systems running a vulnerable version of Sourcetree for macOS.
Sourcetree for macOS performs background indexing which allows for this issue to be exploited without a user needing to directly interact with the git subrepository. From version 1.4.0 of Sourcetree for macOS, this vulnerability can be triggered from a webpage through the use of the Sourcetree URI handler.

Affected versions:

• Versions of Sourcetree for macOS starting with 1.0b2 before version 2.7.0 are affected by this vulnerability

Fix:

• Upgrade Sourcetree for macOS to version 2.7.0 or higher from https://www.sourcetreeapp.com/ .

Acknowledgements
Atlassian would like to credit Zhang Tianqi @ Tophant for reporting this issue to us.

For additional details see the full advisory.