Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#74155 - CVE-2022-20001 for Fish 3.1.0 through 3.3.1
Attached to Project:
Community Packages
Opened by Cameron Himes (Caton101) - Friday, 18 March 2022, 04:30 GMT
Last edited by David Thurstenson (thurstylark) - Sunday, 10 April 2022, 09:09 GMT
Opened by Cameron Himes (Caton101) - Friday, 18 March 2022, 04:30 GMT
Last edited by David Thurstenson (thurstylark) - Sunday, 10 April 2022, 09:09 GMT
|
DetailsDescription:
Fish has a CVE that allows for arbitrary commands to be executed. I've pasted the CVE report below: fish version 3.1.0 through version 3.3.1 is vulnerable to arbitrary code execution. git repositories can contain per-repository configuration that change the behavior of git, including running arbitrary commands. When using the default configuration of fish, changing to a directory automatically runs `git` commands in order to display information about the current repository in the prompt. If an attacker can convince a user to change their current directory into one controlled by the attacker, such as on a shared file system or extracted archive, fish will run arbitrary commands under the attacker's control. This problem has been fixed in fish 3.4.0. Note that running git in these directories, including using the git tab completion, remains a potential trigger for this issue. As a workaround, remove the `fish_git_prompt` function from the prompt. Additional info: Fish 3.3.1 https://ubuntu.com/security/CVE-2022-20001 https://www.cvedetails.com/cve/CVE-2022-20001 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-20001 Steps to reproduce: install fish follow arbitrary code execution as outlined in the CVE |
This task depends upon
Closed by David Thurstenson (thurstylark)
Sunday, 10 April 2022, 09:09 GMT
Reason for closing: Fixed
Additional comments about closing: fish 3.4.1-1
Sunday, 10 April 2022, 09:09 GMT
Reason for closing: Fixed
Additional comments about closing: fish 3.4.1-1
Comment by Cameron Himes (Caton101) -
Friday, 18 March 2022, 04:34 GMT
I should mention that this is already patched in Fish version 3.4.0. The package has been marked out of date since March 12, 2022 when the new upstream version was released. Since it has been a few days and the package maintainer has not stepped in, I'm reporting it here. The easiest way to fix this is to just update the Fish package.