Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 919488 (CVE-2023-49284)

Summary: <app-shells/fish-3.7.0: command substitution output can trigger shell expansion
Product: Gentoo Security Reporter: Christopher Fore <csfore>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: minor CC: ajak, gyakovlev, maintainer-needed, proxy-maint, realidealseal
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/fish-shell/fish-shell/security/advisories/GHSA-2j9r-pm96-wp4f
Whiteboard: B3 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 934533    
Bug Blocks:    

Description Christopher Fore 2023-12-08 20:01:40 UTC 
CVE-2023-49284 (https://github.com/fish-shell/fish-shell/security/advisories/GHSA-2j9r-pm96-wp4f):

fish shell uses certain Unicode non-characters internally for marking wildcards and expansions. It will incorrectly allow these markers to be read on command substitution output, rather than transforming them into a safe internal representation.

While this may cause unexpected behavior with direct input (for example, echo \UFDD2HOME has the same output as echo $HOME), this may become a minor security problem if the output is being fed from an external program into a command substitution where this output may not be expected. 

The above has been fixed in 3.6.2
Comment 1 Mike Limansky 2023-12-18 14:15:07 UTC 
Hi,

 I've checked simple bump from 3.6.1 to 3.6.4 and it works fine for me.
Comment 2 Larry the Git Cow gentoo-dev 2024-12-02 01:06:36 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1c4d928cd780364e80286ce197cb31032b322b64

commit 1c4d928cd780364e80286ce197cb31032b322b64
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2024-12-02 01:06:02 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2024-12-02 01:06:28 +0000

    app-shells/fish: drop 3.4.0, 3.6.1
    
    Bug: https://bugs.gentoo.org/919488
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 app-shells/fish/Manifest          |   2 -
 app-shells/fish/fish-3.4.0.ebuild | 102 --------------------------------
 app-shells/fish/fish-3.6.1.ebuild | 121 --------------------------------------
 3 files changed, 225 deletions(-)