FS#74155 - CVE-2022-20001 for Fish 3.1.0 through 3.3.1
Attached to Project:
Community Packages
Opened by Cameron Himes (Caton101) - Friday, 18 March 2022, 04:30 GMT
Last edited by David Thurstenson (thurstylark) - Sunday, 10 April 2022, 09:09 GMT
Opened by Cameron Himes (Caton101) - Friday, 18 March 2022, 04:30 GMT
Last edited by David Thurstenson (thurstylark) - Sunday, 10 April 2022, 09:09 GMT
|
Details
Description:
Fish has a CVE that allows for arbitrary commands to be executed. I've pasted the CVE report below: fish version 3.1.0 through version 3.3.1 is vulnerable to arbitrary code execution. git repositories can contain per-repository configuration that change the behavior of git, including running arbitrary commands. When using the default configuration of fish, changing to a directory automatically runs `git` commands in order to display information about the current repository in the prompt. If an attacker can convince a user to change their current directory into one controlled by the attacker, such as on a shared file system or extracted archive, fish will run arbitrary commands under the attacker's control. This problem has been fixed in fish 3.4.0. Note that running git in these directories, including using the git tab completion, remains a potential trigger for this issue. As a workaround, remove the `fish_git_prompt` function from the prompt. Additional info: Fish 3.3.1 https://ubuntu.com/security/CVE-2022-20001 https://www.cvedetails.com/cve/CVE-2022-20001 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-20001 Steps to reproduce: install fish follow arbitrary code execution as outlined in the CVE |
This task depends upon
Closed by David Thurstenson (thurstylark)
Sunday, 10 April 2022, 09:09 GMT
Reason for closing: Fixed
Additional comments about closing: fish 3.4.1-1
Sunday, 10 April 2022, 09:09 GMT
Reason for closing: Fixed
Additional comments about closing: fish 3.4.1-1
Comment by
Cameron Himes (Caton101) - Friday,
18 March 2022, 04:34 GMT
I should mention that this is already patched in Fish version
3.4.0. The package has been marked out of date since March 12,
2022 when the new upstream version was released. Since it has been
a few days and the package maintainer has not stepped in, I'm
reporting it here. The easiest way to fix this is to just update
the Fish package.