Debian Bug report logs -
#1057455
fish: CVE-2023-49284
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Tristan Seligmann <mithrandi@debian.org>:
Bug#1057455; Package src:fish.
(Tue, 05 Dec 2023 11:06:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Tristan Seligmann <mithrandi@debian.org>.
(Tue, 05 Dec 2023 11:06:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: fish
Version: 3.6.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for fish.
CVE-2023-49284[0]:
| fish is a smart and user-friendly command line shell for macOS,
| Linux, and the rest of the family. fish shell uses certain Unicode
| non-characters internally for marking wildcards and expansions. It
| will incorrectly allow these markers to be read on command
| substitution output, rather than transforming them into a safe
| internal representation. While this may cause unexpected behavior
| with direct input (for example, echo \UFDD2HOME has the same output
| as echo $HOME), this may become a minor security problem if the
| output is being fed from an external program into a command
| substitution where this output may not be expected. This design flaw
| was introduced in very early versions of fish, predating the version
| control system, and is thought to be present in every version of
| fish released in the last 15 years or more, although with different
| characters. Code execution does not appear to be possible, but
| denial of service (through large brace expansion) or information
| disclosure (such as variable expansion) is potentially possible
| under certain circumstances. fish shell 3.6.2 has been released to
| correct this issue. Users are advised to upgrade. There are no known
| workarounds for this vulnerability.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-49284
https://www.cve.org/CVERecord?id=CVE-2023-49284
[1] https://github.com/fish-shell/fish-shell/security/advisories/GHSA-2j9r-pm96-wp4f
[2] https://github.com/fish-shell/fish-shell/commit/09986f5563e31e2c900a606438f1d60d008f3a14
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Dec 6 08:17:22 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon