SUSE has issued an advisory on October 25:
The issue is fixed upstream in 4.7.2.
Mageia 6 is also affected.
Assigning to the registered maintainer.
CC'ing Shlomi, who pushed mercurial several times, because I don't remember having seen Philippe since August 25.
I hope you're fine, Philippe!
openSUSE has issued an advisory for this on October 27:
Submitted mercurial 4.7.2 to mga6 core/updates_testing.
Updated mercurial packages fix security vulnerability:
An out-of-bounds read during parsing of a malformed manifest entry
Updated packages in core/updates_testing:
Installed and tested without issues.
Tests included init, clone, pull, push, status, commit, update, log, etc.
Tested on a several repositories, remote and local.
System: Mageia 6, x86_64, Intel CPU.
$ uname -a
Linux marte 4.14.78-desktop-1.mga6 #1 SMP Sun Oct 21 20:31:12 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q mercurial
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Made tests as per bug 22895 Comment 5 and Comment 7, all worked OK
Validating. Advisory in Comment 4.
Advisoried from comment4.
An update for this issue has been pushed to the Mageia Updates repository.