835337 – (CVE-2022-20001) <app-shells/fish-3.4.0: code execution via malicious git configuration

Bug 835337 (CVE-2022-20001) - <app-shells/fish-3.4.0: code execution via malicious git configuration

Summary: <app-shells/fish-3.4.0: code execution via malicious git configuration

Status:	RESOLVED FIXED

Alias:	CVE-2022-20001

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://github.com/fish-shell/fish-sh...
Whiteboard:	B2 [glsa+]
Keywords:

Depends on:	835339
Blocks:
	Show dependency tree

Reported:	2022-03-15 15:24 UTC by John Helmert III
Modified:	2023-09-29 10:55 UTC (History)
CC List:	4 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-03-15 15:24:21 UTC

CVE-2022-20001:

fish is a command line shell. fish version 3.1.0 through version 3.3.1 is vulnerable to arbitrary code execution. git repositories can contain per-repository configuration that change the behavior of git, including running arbitrary commands. When using the default configuration of fish, changing to a directory automatically runs `git` commands in order to display information about the current repository in the prompt. If an attacker can convince a user to change their current directory into one controlled by the attacker, such as on a shared file system or extracted archive, fish will run arbitrary commands under the attacker's control. This problem has been fixed in fish 3.4.0. Note that running git in these directories, including using the git tab completion, remains a potential trigger for this issue. As a workaround, remove the `fish_git_prompt` function from the prompt.

Please stabilize 3.4.0.

Comment 1 John Helmert III archtester

2022-05-19 18:19:58 UTC

Please cleanup

Comment 2 Larry the Git Cow gentoo-dev

2022-05-20 06:31:46 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=064a1f6462587573309045cbc97f549cf8b0429f

commit 064a1f6462587573309045cbc97f549cf8b0429f
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2022-05-20 06:27:41 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2022-05-20 06:27:41 +0000

    app-shells/fish: Security cleanup
    
    Bug: https://bugs.gentoo.org/835337
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 app-shells/fish/Manifest                           |   1 -
 .../fish/files/3.3.1-don-t-override-linker.patch   |  48 ----------
 app-shells/fish/files/3.3.1-drop-some-tests.patch  |  26 -----
 .../fish/files/3.3.1-sbin-path-sh-test.patch       |  25 -----
 app-shells/fish/fish-3.3.1-r1.ebuild               | 106 ---------------------
 5 files changed, 206 deletions(-)

Comment 3 Larry the Git Cow gentoo-dev

2023-09-29 10:55:05 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=c6ee8892052cc41b32dd714edc0f366bff3b60ee

commit c6ee8892052cc41b32dd714edc0f366bff3b60ee
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-09-29 10:53:28 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-09-29 10:54:50 +0000

    [ GLSA 202309-10 ] Fish: User-assisted execution of arbitrary code
    
    Bug: https://bugs.gentoo.org/835337
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202309-10.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)