Debian Bug report logs -
#746259
fish: CVE-2014-2905 CVE-2014-2906 CVE-2014-2914 CVE-2014-3219 CVE-2014-3856
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 28 Apr 2014 15:09:01 UTC
Severity: grave
Tags: security, upstream
Found in version fish/1.23.1-2
Fixed in version fish/2.1.1-1
Done: Gustavo Noronha Silva <kov@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Gustavo Noronha Silva <kov@debian.org>:
Bug#746259; Package src:fish.
(Mon, 28 Apr 2014 15:09:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Gustavo Noronha Silva <kov@debian.org>.
(Mon, 28 Apr 2014 15:09:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: fish
Version: 1.23.1-2
Severity: grave
Tags: security upstream
Hi,
the following vulnerabilities were published for fish.
CVE-2014-2905[0]:
permission bypass leading to privilege escalation
CVE-2014-2906[1]:
unsafe temporary file creationg leading to privilege escalation
CVE-2014-2914[2]:
remote code execution
More details are in [3].
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2014-2905
[1] https://security-tracker.debian.org/tracker/CVE-2014-2906
[2] https://security-tracker.debian.org/tracker/CVE-2014-2914
[3] http://www.openwall.com/lists/oss-security/2014/04/28/4
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Gustavo Noronha Silva <kov@debian.org>:
Bug#746259; Package src:fish.
(Mon, 28 Apr 2014 15:36:09 GMT) (full text, mbox, link).
Acknowledgement sent
to David Adam <zanchey@ucc.gu.uwa.edu.au>:
Extra info received and forwarded to list. Copy sent to Gustavo Noronha Silva <kov@debian.org>.
(Mon, 28 Apr 2014 15:36:09 GMT) (full text, mbox, link).
Message #10 received at 746259@bugs.debian.org (full text, mbox, reply):
Package: fish
Followup-For: Bug #746259
There's another symlink attack, for which a CVE has not yet been
assigned, but a patch will be available shortly.
David Adam
fish committer
<zanchey@ucc.gu.uwa.edu.au>
Changed Bug title to 'fish: CVE-2014-2905 CVE-2014-2906 CVE-2014-2914 CVE-2014-3219' from 'fish: CVE-2014-2905 CVE-2014-2906 CVE-2014-2914'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 07 May 2014 09:12:07 GMT) (full text, mbox, link).
Changed Bug title to 'fish: CVE-2014-2905 CVE-2014-2906 CVE-2014-2914 CVE-2014-3219 CVE-2014-3856' from 'fish: CVE-2014-2905 CVE-2014-2906 CVE-2014-2914 CVE-2014-3219'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 02 Jun 2014 14:45:08 GMT) (full text, mbox, link).
Reply sent
to Gustavo Noronha Silva <kov@debian.org>:
You have taken responsibility.
(Tue, 25 Nov 2014 12:21:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 25 Nov 2014 12:21:05 GMT) (full text, mbox, link).
Message #19 received at 746259-close@bugs.debian.org (full text, mbox, reply):
Source: fish
Source-Version: 2.1.1-1
We believe that the bug you reported is fixed in the latest version of
fish, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 746259@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Gustavo Noronha Silva <kov@debian.org> (supplier of updated fish package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 24 Nov 2014 14:09:15 -0200
Source: fish
Binary: fish fish-dbg
Architecture: source amd64
Version: 2.1.1-1
Distribution: unstable
Urgency: medium
Maintainer: Gustavo Noronha Silva <kov@debian.org>
Changed-By: Gustavo Noronha Silva <kov@debian.org>
Description:
fish - friendly interactive shell
fish-dbg - friendly interactive shell (debugging symbols)
Closes: 746259
Changes:
fish (2.1.1-1) unstable; urgency=medium
.
* New upstream release
- includes fixes for the following security issues (Closes: #746259):
+ CVE-2014-2905
+ CVE-2014-2906
+ CVE-2014-2914
+ CVE-2014-3219
+ CVE-2014-3856
Checksums-Sha1:
0aac958d1ac7158a868056c11a9021a465a4d13a 1541 fish_2.1.1-1.dsc
8f97f39b92ea7dfef1f464b18e304045bf37546d 1681744 fish_2.1.1.orig.tar.gz
41f94f41607deef3c41c3127829b7aac89721ab5 11783 fish_2.1.1-1.diff.gz
270d8ecc52a90defdac7371bcf460f47d69e9e4e 830156 fish_2.1.1-1_amd64.deb
e12df7f0df8abe0e6e9af4a67f3ee598121fefe1 2641196 fish-dbg_2.1.1-1_amd64.deb
Checksums-Sha256:
6aaf576d15d78ffdc9af1272676bbda48b37b6560491cbc190c4d1580f0344f5 1541 fish_2.1.1-1.dsc
b7e4d3c3d55fc3859edcb20462fcf0d14ab26e920eddcd503072e8105284d924 1681744 fish_2.1.1.orig.tar.gz
31f876fce4e61ca25de1b386d8792a0fb73fdcca83d9127e5cf77a2b5b7f4926 11783 fish_2.1.1-1.diff.gz
85c1b3129b063a8580ff4553c6888c06a6a567a663848f99b041507a269819ff 830156 fish_2.1.1-1_amd64.deb
89178ee384187897f0ef8196d6fcff76f0904259bb08e2ace496ead7f640fcd5 2641196 fish-dbg_2.1.1-1_amd64.deb
Files:
7f79bbef7d356346c830ae177d4db7ec 1541 shells optional fish_2.1.1-1.dsc
0251e6e5f25d1f326e071425ea1dee22 1681744 shells optional fish_2.1.1.orig.tar.gz
510d47c6a359e72415779c6811f2aae3 11783 shells optional fish_2.1.1-1.diff.gz
1b1b06144f4054ba58e4b3d50b4eec4c 830156 shells optional fish_2.1.1-1_amd64.deb
5a0e0d33eb158eb85188f896d823c325 2641196 debug extra fish-dbg_2.1.1-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJUc1tMAAoJENIA6zCg+12mUcMH/1pgyx3vKyw8ZC2nY2Q3c/w+
QaVMYQ9XyKn3w4MH27QbWXRYMljGZG1I5ykBmwGAKtquQaTK1FSKlcNA4SbIt8b2
JMhReTMCeMuRoJm4qMKzw4lI8vKqHSgBLUrDoi7CdFBun19MndYO9O9BrkKj4azQ
tJZxwLuLUjqeDlT+iWD0PjAIOURlDX2zyhVybpQUCfpqZP254myP+V9JSPnn8EUh
zXhYnfD1SOfM7xVBXve+ItNZhiOLuD8rfsYfqojREq8FaTeNpKWctpGFwWQO6uKI
lsFkEo0CVYQrnJQVjovM/i3qI6ii07G3rxsBXZZ2kKboax4Ui7LvTOd3D+RvMPM=
=soeB
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 26 Apr 2015 07:45:12 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:25:01 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon