Bug 32603

Summary:	fish-shell security issue CVE-2023-49284
Product:	Mageia	Reporter:	Stig-Ørjan Smelror <smelror>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED DUPLICATE	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	marja11, sysadmin-bugs, tarazed25
Version:	9	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA8-64-OK MGA9-64-OK
Source RPM:	fish-3.4.1-1.mga8.src.rpm,fish-3.6.1-1.mga9.src.rpm	CVE:	CVE-2023-49284
Status comment:

Description Stig-Ørjan Smelror 2023-12-08 06:49:07 CET

Command substitution output can trigger shell expansion.

https://github.com/fish-shell/fish-shell/security/advisories/GHSA-2j9r-pm96-wp4f

Fixed in version 3.6.2, however version 3.6.3 and 3.6.4 was released to fix an error in the test suite.

Comment 1 Stig-Ørjan Smelror 2023-12-08 06:51:14 CET

Cauldron has been updated to version 3.6.4.

Version: Cauldron => 9
Whiteboard: (none) => MGA8TOO
CVE: (none) => CVE-2023-49284

Comment 2 Stig-Ørjan Smelror 2023-12-08 07:18:27 CET

Advisory
========

Upstream released version 3.6.4 to fix CVE-2023-49284.

CVE-2023-49284: fish shell uses certain Unicode non-characters internally for marking wildcards and expansions. It will incorrectly allow these markers to be read on command substitution output, rather than transforming them into a safe internal representation.


References
==========

https://github.com/fish-shell/fish-shell/security/advisories/GHSA-2j9r-pm96-wp4f

Files
=====

Uploaded to core/updates_testing

fish-3.6.4-1.mga9

from fish-3.6.4-1.mga9.src.rpm

Comment 3 Stig-Ørjan Smelror 2023-12-08 07:20:49 CET

Advisory
========

Backported an upstream patch to fix CVE-2023-49284.

CVE-2023-49284: fish shell uses certain Unicode non-characters internally for marking wildcards and expansions. It will incorrectly allow these markers to be read on command substitution output, rather than transforming them into a safe internal representation.


References
==========

https://github.com/fish-shell/fish-shell/security/advisories/GHSA-2j9r-pm96-wp4f

Files
=====

Uploaded to core/updates_testing

fish-3.4.1-1.1.mga8

from fish-3.4.1-1.1.mga8.src.rpm

Stig-Ørjan Smelror 2023-12-08 07:21:21 CET

Assignee: smelror => qa-bugs

Marja Van Waes 2023-12-08 15:05:43 CET

CC: (none) => marja11
Source RPM: (none) => fish

Comment 4 Marja Van Waes 2023-12-08 15:14:07 CET

Merged Advisory from comment 2 and comment 3 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"

Keywords: (none) => advisory

Comment 5 Len Lawrence 2023-12-08 20:05:46 CET

Mageia8, x86_64
$ rpm -q fish
fish-3.4.1-1.mga8

$ cat foo.py
print("\ufdd2HOME")

$ fish
Welcome to fish, the friendly interactive shell
Type help for instructions on how to use fish
lcl@canopus ~> echo $(python3 foo.py)
/home/lcl
lcl@canopus ~> exit
$

Don't know what other prefixes to use.
Installed the update.
$ fish
Welcome to fish, the friendly interactive shell
Type help for instructions on how to use fish
lcl@canopus ~> echo $(python3 foo.py)

lcl@canopus ~> exit

So that simply shows a blank line.
Maybe that is what is intended.  If so then this update is OK for Mageia8.

Whiteboard: MGA8TOO => MGA8TOO
CC: (none) => tarazed25

Comment 6 Len Lawrence 2023-12-08 20:34:33 CET

Switched back to Mageia9.

Installed fish-3.6.1-1.
$ fish
Welcome to fish, the friendly interactive shell
Type help for instructions on how to use fish
lcl@canopus ~> echo $(python foo.py)
/home/lcl
lcl@canopus ~> exit
$

Updated to fish-3.6.4-1.mga9.
$ fish
lcl@canopus ~> echo $(python foo.py)
﷒HOME
lcl@canopus ~> exit
$ echo $(python foo.py)
﷒HOME

So the prefix code is output in harmless fashion in fish and bash shells.Good for Mageia 9.

Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK MGA9-64-OK

Comment 7 Len Lawrence 2023-12-08 20:35:38 CET Comment hidden (obsolete)

Switched back to Mageia9.

Installed fish-3.6.1-1.
$ fish
Welcome to fish, the friendly interactive shell
Type help for instructions on how to use fish
lcl@canopus ~> echo $(python foo.py)
/home/lcl
lcl@canopus ~> exit
$

Updated to fish-3.6.4-1.mga9.
$ fish
lcl@canopus ~> echo $(python foo.py)
﷒HOME
lcl@canopus ~> exit
$ echo $(python foo.py)
﷒HOME

So the prefix code is output in harmless fashion in fish and bash shells.Good for Mageia 9.

Comment 8 Len Lawrence 2023-12-08 20:36:57 CET Comment hidden (obsolete)

Switched back to Mageia9.

Installed fish-3.6.1-1.
$ fish
Welcome to fish, the friendly interactive shell
Type help for instructions on how to use fish
lcl@canopus ~> echo $(python foo.py)
/home/lcl
lcl@canopus ~> exit
$

Updated to fish-3.6.4-1.mga9.
$ fish
lcl@canopus ~> echo $(python foo.py)
﷒HOME
lcl@canopus ~> exit
$ echo $(python foo.py)
﷒HOME

So the prefix code is output in harmless fashion in fish and bash shells.  Good for Mageia 9.

Comment 9 Len Lawrence 2023-12-08 20:50:12 CET

When I tried to submit this the system issued this error report:

"\x{fdd2}" does not map to UTF-8 at /usr/lib64/perl5/Encode.pm line 199, <DATA> line 755.

After two attempts I substituted <something> for the little square with FDD2 in 2x2 format and tried again and the two initial versions materialised.  ???

Comment 10 katnatek 2023-12-08 22:59:32 CET

(In reply to Len Lawrence from comment #9)
> When I tried to submit this the system issued this error report:
> 
> "\x{fdd2}" does not map to UTF-8 at /usr/lib64/perl5/Encode.pm line 199,
> <DATA> line 755.
> 
> After two attempts I substituted <something> for the little square with FDD2
> in 2x2 format and tried again and the two initial versions materialised.  ???

I Hide one of them

Comment 11 katnatek 2023-12-08 23:01:42 CET

And I get the same warning that Len Lawrence in comment#9, I just close the tab and open this bug again :S

Comment 12 katnatek 2023-12-09 00:01:24 CET

Confirmed that the update fix the issue on Mageia 9

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA8TOO MGA8-64-OK MGA9-64-OK => MGA8-64-OK MGA9-64-OK

katnatek 2023-12-10 02:19:49 CET

Source RPM: fish => fish-3.4.1-1.mga8.src.rpm,fish-3.6.1-1.mga9.src.rpm

Comment 13 katnatek 2023-12-10 02:24:49 CET

Testing if we have a bug related with comment#5

Comment 14 katnatek 2023-12-10 02:28:18 CET

(In reply to katnatek from comment #13)
> Testing if we have a bug related with comment#5

If that is the cause (no other bug have the issue reported in comment#9) mark as obsolete is not enough

Comment 15 katnatek 2023-12-10 02:56:42 CET

Another test hiding comment#6 and comment#7

Comment 16 katnatek 2023-12-10 02:57:42 CET

(In reply to katnatek from comment #15)
> Another test hiding comment#6 and comment#7

Not enough/Not the cause

Comment 17 Frédéric "LpSolit" Buclin 2023-12-10 14:44:21 CET

(In reply to Len Lawrence from comment #9)
> When I tried to submit this the system issued this error report:
> 
> "\x{fdd2}" does not map to UTF-8 at /usr/lib64/perl5/Encode.pm line 199,
> <DATA> line 755.

Yes, Bugzilla didn't like \x{fdd2} in comment 6 (and now in comments 7 and 8 as well) and the emails have not been sent. Now everytime you write a new comment, it will try to resend the older comments and will fail again.

Comment 18 katnatek 2023-12-10 23:25:55 CET

 i open a new bug, this is now tainted bug#32609

Resolution: (none) => WONTFIX
Keywords: advisory, validated_update => (none)
Status: NEW => RESOLVED

Comment 19 Frédéric "LpSolit" Buclin 2023-12-11 02:33:27 CET

Why are you closing this bug as WONTFIX? Bug 32609 is about Bugzilla. This bug is about fish.

Keywords: (none) => advisory, validated_update

Frédéric "LpSolit" Buclin 2023-12-11 02:33:59 CET

Status: RESOLVED => REOPENED
Resolution: WONTFIX => (none)

Comment 20 Marja Van Waes 2023-12-11 17:17:56 CET

Duplicate 32614 was created because of an issue with this report

*** This bug has been marked as a duplicate of bug 32614 ***

Resolution: (none) => DUPLICATE
Status: REOPENED => RESOLVED