Bug 32614

Summary: fish-shell security issue CVE-2023-49284
Product: Mageia Reporter: katnatek <j.alberto.vc>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: marja11, smelror, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8TOO MGA8-64-OK MGA9-64-OK
Source RPM: fish-3.4.1-1.mga8.src.rpm,fish-3.6.1-1.mga9.src.rpm CVE:
Status comment:

Description katnatek 2023-12-10 23:18:08 CET 
All the test is done in bug#32603 but due bug#32609 the bug can't be closed in the traditional way


Advisory
========

Upstream released version 3.6.4 to fix CVE-2023-49284.

CVE-2023-49284: fish shell uses certain Unicode non-characters internally for marking wildcards and expansions. It will incorrectly allow these markers to be read on command substitution output, rather than transforming them into a safe internal representation.


References
==========

https://github.com/fish-shell/fish-shell/security/advisories/GHSA-2j9r-pm96-wp4f

Files
=====

Uploaded to 9/core/updates_testing

fish-3.6.4-1.mga9

from fish-3.6.4-1.mga9.src.rpm

Uploaded to 8/core/updates_testing
fish-3.4.1-1.1.mga8
from fish-3.4.1-1.1.mga8.src.rpm
katnatek 2023-12-10 23:18:51 CET

Whiteboard: (none) => MGA8-64-OK MGA9-64-OK

katnatek 2023-12-10 23:19:09 CET

CC: (none) => marja11

Comment 1 katnatek 2023-12-10 23:22:56 CET 
Marja, please use the advisory of bug#32603 in this bug 
In this way once this bug is marked as validated the packages can be moved
katnatek 2023-12-10 23:23:26 CET

QA Contact: (none) => security

David Walser 2023-12-11 01:23:55 CET

Component: RPM Packages => Security

David Walser 2023-12-11 01:24:27 CET

Summary: fish-shell security issue CVE-2023-4928 II => fish-shell security issue CVE-2023-49284

Comment 2 katnatek 2023-12-11 06:06:29 CET 
Now what must do?
Close this as duplicate of the original?
Comment 3 Marja Van Waes 2023-12-11 17:17:56 CET 
*** Bug 32603 has been marked as a duplicate of this bug. ***

CC: (none) => smelror

Comment 4 Marja Van Waes 2023-12-11 17:24:02 CET 
I have copied 32603.adv to 32614.adv, while adjusting the reference to match this report. It has been uploaded to SVN and 32603.adv has been deleted

Keywords: (none) => advisory

katnatek 2023-12-11 22:27:46 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

katnatek 2023-12-12 10:23:13 CET

Whiteboard: MGA8-64-OK MGA9-64-OK => MGA8TOO MGA8-64-OK MGA9-64-OK

Comment 5 Mageia Robot 2023-12-12 23:21:23 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0344.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED