CVE-2023-49284 (https://github.com/fish-shell/fish-shell/security/advisories/GHSA-2j9r-pm96-wp4f): fish shell uses certain Unicode non-characters internally for marking wildcards and expansions. It will incorrectly allow these markers to be read on command substitution output, rather than transforming them into a safe internal representation. While this may cause unexpected behavior with direct input (for example, echo \UFDD2HOME has the same output as echo $HOME), this may become a minor security problem if the output is being fed from an external program into a command substitution where this output may not be expected. The above has been fixed in 3.6.2
Hi, I've checked simple bump from 3.6.1 to 3.6.4 and it works fine for me.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1c4d928cd780364e80286ce197cb31032b322b64 commit 1c4d928cd780364e80286ce197cb31032b322b64 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2024-12-02 01:06:02 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2024-12-02 01:06:28 +0000 app-shells/fish: drop 3.4.0, 3.6.1 Bug: https://bugs.gentoo.org/919488 Signed-off-by: John Helmert III <ajak@gentoo.org> app-shells/fish/Manifest | 2 - app-shells/fish/fish-3.4.0.ebuild | 102 -------------------------------- app-shells/fish/fish-3.6.1.ebuild | 121 -------------------------------------- 3 files changed, 225 deletions(-)