FS#74155 - CVE-2022-20001 for Fish 3.1.0 through 3.3.1

Attached to Project: Community Packages
Opened by Cameron Himes (Caton101) - Friday, 18 March 2022, 04:30 GMT
Last edited by David Thurstenson (thurstylark) - Sunday, 10 April 2022, 09:09 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Levente Polyak (anthraxx)
Filipe Laíns (FFY00)
Architecture All
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 4
Private No

Details

Description:

Fish has a CVE that allows for arbitrary commands to be executed. I've pasted the CVE report below:

fish version 3.1.0 through version 3.3.1 is vulnerable to arbitrary code execution. git repositories can contain per-repository configuration that change the behavior of git, including running arbitrary commands. When using the default configuration of fish, changing to a directory automatically runs `git` commands in order to display information about the current repository in the prompt. If an attacker can convince a user to change their current directory into one controlled by the attacker, such as on a shared file system or extracted archive, fish will run arbitrary commands under the attacker's control. This problem has been fixed in fish 3.4.0. Note that running git in these directories, including using the git tab completion, remains a potential trigger for this issue. As a workaround, remove the `fish_git_prompt` function from the prompt.


Additional info:
Fish 3.3.1
https://ubuntu.com/security/CVE-2022-20001
https://www.cvedetails.com/cve/CVE-2022-20001
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-20001

Steps to reproduce:
install fish
follow arbitrary code execution as outlined in the CVE
This task depends upon

Closed by  David Thurstenson (thurstylark)
Sunday, 10 April 2022, 09:09 GMT
Reason for closing:  Fixed
Additional comments about closing:  fish 3.4.1-1
Comment by Cameron Himes (Caton101) - Friday, 18 March 2022, 04:34 GMT
I should mention that this is already patched in Fish version 3.4.0. The package has been marked out of date since March 12, 2022 when the new upstream version was released. Since it has been a few days and the package maintainer has not stepped in, I'm reporting it here. The easiest way to fix this is to just update the Fish package.

Loading...