919488 – (CVE-2023-49284) <app-shells/fish-3.7.0: command substitution output can trigger shell expansion

Bug 919488 (CVE-2023-49284) - <app-shells/fish-3.7.0: command substitution output can trigger shell expansion

Summary: <app-shells/fish-3.7.0: command substitution output can trigger shell expansion

Status:	CONFIRMED

Alias:	CVE-2023-49284

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://github.com/fish-shell/fish-sh...
Whiteboard:	B3 [stable?]
Keywords:

Depends on:
Blocks:

Reported:	2023-12-08 20:01 UTC by Christopher Fore
Modified:	2024-04-21 20:35 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christopher Fore 2023-12-08 20:01:40 UTC

CVE-2023-49284 (https://github.com/fish-shell/fish-shell/security/advisories/GHSA-2j9r-pm96-wp4f):

fish shell uses certain Unicode non-characters internally for marking wildcards and expansions. It will incorrectly allow these markers to be read on command substitution output, rather than transforming them into a safe internal representation.

While this may cause unexpected behavior with direct input (for example, echo \UFDD2HOME has the same output as echo $HOME), this may become a minor security problem if the output is being fed from an external program into a command substitution where this output may not be expected. 

The above has been fixed in 3.6.2

Comment 1 Mike Limansky 2023-12-18 14:15:07 UTC

Hi,

 I've checked simple bump from 3.6.1 to 3.6.4 and it works fine for me.