Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 835337 (CVE-2022-20001) - <app-shells/fish-3.4.0: code execution via malicious git configuration
Summary: <app-shells/fish-3.4.0: code execution via malicious git configuration
Status: IN_PROGRESS
Alias: CVE-2022-20001
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/fish-shell/fish-sh...
Whiteboard: B2 [glsa?]
Keywords:
Depends on: 835339
Blocks:
  Show dependency tree
 
Reported: 2022-03-15 15:24 UTC by John Helmert III
Modified: 2022-05-20 16:22 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-15 15:24:21 UTC
CVE-2022-20001:

fish is a command line shell. fish version 3.1.0 through version 3.3.1 is vulnerable to arbitrary code execution. git repositories can contain per-repository configuration that change the behavior of git, including running arbitrary commands. When using the default configuration of fish, changing to a directory automatically runs `git` commands in order to display information about the current repository in the prompt. If an attacker can convince a user to change their current directory into one controlled by the attacker, such as on a shared file system or extracted archive, fish will run arbitrary commands under the attacker's control. This problem has been fixed in fish 3.4.0. Note that running git in these directories, including using the git tab completion, remains a potential trigger for this issue. As a workaround, remove the `fish_git_prompt` function from the prompt.

Please stabilize 3.4.0.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-05-19 18:19:58 UTC
Please cleanup
Comment 2 Larry the Git Cow gentoo-dev 2022-05-20 06:31:46 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=064a1f6462587573309045cbc97f549cf8b0429f

commit 064a1f6462587573309045cbc97f549cf8b0429f
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2022-05-20 06:27:41 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2022-05-20 06:27:41 +0000

    app-shells/fish: Security cleanup
    
    Bug: https://bugs.gentoo.org/835337
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 app-shells/fish/Manifest                           |   1 -
 .../fish/files/3.3.1-don-t-override-linker.patch   |  48 ----------
 app-shells/fish/files/3.3.1-drop-some-tests.patch  |  26 -----
 .../fish/files/3.3.1-sbin-path-sh-test.patch       |  25 -----
 app-shells/fish/fish-3.3.1-r1.ebuild               | 106 ---------------------
 5 files changed, 206 deletions(-)