Mercurial: arbitrary command execution in mercurial repositories with a git submodule - CVE-2017-17458

The embedded version of Mercurial used in Sourcetree for Windows was vulnerable to CVE-2017-17458. An attacker can exploit this issue if they can commit to a Mercurial repository linked in Sourcetree for Windows by adding a git subrepository specifying arbitrary code in the form of a .git/hooks/post-update script, allowing the attacker to execute arbitrary code on systems running a vulnerable version of Sourcetree for Windows.
Sourcetree for Windows performs background indexing which allows for this issue to be exploited without a user needing to directly interact with the git subrepository. From version 1.4.0 of Sourcetree for Windows, this vulnerability can be triggered from a webpage through the use of the Sourcetree URI handler.

Affected versions:

• Versions of Sourcetree for Windows starting with 0.5.1.0 before version 2.4.7.0 are affected by this vulnerability.

Fix:

• Upgrade Sourcetree for Windows to version 2.4.7.0 or higher from https://www.sourcetreeapp.com/ .

Acknowledgements
Atlassian would like to credit Zhang Tianqi @ Tophant for reporting this issue to us.

For additional details see the full advisory.