Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 835337 (CVE-2022-20001)

Summary: <app-shells/fish-3.4.0: code execution via malicious git configuration
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: gentoo.qxrin, gentoo, gyakovlev, polynomial-c
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 835339    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-15 15:24:21 UTC

fish is a command line shell. fish version 3.1.0 through version 3.3.1 is vulnerable to arbitrary code execution. git repositories can contain per-repository configuration that change the behavior of git, including running arbitrary commands. When using the default configuration of fish, changing to a directory automatically runs `git` commands in order to display information about the current repository in the prompt. If an attacker can convince a user to change their current directory into one controlled by the attacker, such as on a shared file system or extracted archive, fish will run arbitrary commands under the attacker's control. This problem has been fixed in fish 3.4.0. Note that running git in these directories, including using the git tab completion, remains a potential trigger for this issue. As a workaround, remove the `fish_git_prompt` function from the prompt.

Please stabilize 3.4.0.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-05-19 18:19:58 UTC
Please cleanup
Comment 2 Larry the Git Cow gentoo-dev 2022-05-20 06:31:46 UTC
The bug has been referenced in the following commit(s):

commit 064a1f6462587573309045cbc97f549cf8b0429f
Author:     Lars Wendler <>
AuthorDate: 2022-05-20 06:27:41 +0000
Commit:     Lars Wendler <>
CommitDate: 2022-05-20 06:27:41 +0000

    app-shells/fish: Security cleanup
    Signed-off-by: Lars Wendler <>

 app-shells/fish/Manifest                           |   1 -
 .../fish/files/3.3.1-don-t-override-linker.patch   |  48 ----------
 app-shells/fish/files/3.3.1-drop-some-tests.patch  |  26 -----
 .../fish/files/3.3.1-sbin-path-sh-test.patch       |  25 -----
 app-shells/fish/fish-3.3.1-r1.ebuild               | 106 ---------------------
 5 files changed, 206 deletions(-)
Comment 3 Larry the Git Cow gentoo-dev 2023-09-29 10:55:05 UTC
The bug has been referenced in the following commit(s):

commit c6ee8892052cc41b32dd714edc0f366bff3b60ee
Author:     GLSAMaker <>
AuthorDate: 2023-09-29 10:53:28 +0000
Commit:     Hans de Graaff <>
CommitDate: 2023-09-29 10:54:50 +0000

    [ GLSA 202309-10 ] Fish: User-assisted execution of arbitrary code
    Signed-off-by: GLSAMaker <>
    Signed-off-by: Hans de Graaff <>

 glsa-202309-10.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)