Fedora has issued advisories on April 30 and August 15: https://lists.fedoraproject.org/pipermail/package-announce/2014-May/132618.html https://lists.fedoraproject.org/pipermail/package-announce/2014-August/136953.html Sorry I missed these initially. Fedora has patches to fix the issues. Apparently the issues are also fixed upstream in 2.1.1. Mageia 4 is also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO
Here's an upstream announcement about all this from September 28: http://openwall.com/lists/oss-security/2014/09/28/8 It mentions CVE-2014-3856 in addition to the others previously mentioned.
Summary: fish missing update for security issues CVE-2014-290[56], CVE-2014-2914, CVE-2014-3219 => fish missing update for security issues CVE-2014-290[56], CVE-2014-2914, CVE-2014-3219, CVE-2014-3856
Updated packages uploaded for Mageia 4 and Cauldron. I've not mentioned CVE-2014-3219 in the advisory, as a new feature in the Mageia 4 kernel mitigates this class of vulnerabilities. Advisory: ======================== Updated fish packages fix security vulnerability: fish, from at least version 1.16.0 to version 2.1.0 (inclusive), does not check the credentials of processes communicating over the fishd universal variable server UNIX domain socket. This allows a local attacker to elevate their privileges to those of a target user running fish, including root (CVE-2014-2905). fish, from at least version 1.16.0 to version 2.1.0 (inclusive), creates temporary files in an insecure manner. Versions 1.23.0 to 2.1.0 (inclusive) execute code via `funced` from these temporary files, allowing privilege escalation to those of any user running fish, including root (CVE-2014-3856). Additionally, from at least version 1.16.0 to version 2.1.0 (inclusive), fish will read data using the psub function from these temporary files, meaning that the input of commands used with the psub function is under the control of the attacker (CVE-2014-2906). fish, from version 2.0.0 to version 2.1.0 (inclusive), fails to restrict connections to the Web-based configuration service (fish_config). This allows remote attackers to execute arbitrary code in the context of the user running fish_config (CVE-2014-2914). The service is generally only running for short periods of time. The use of the fish_config tool is optional as other interfaces to fish configuration are available. The fish package has been updated to version 2.1.1 to fix these issues. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2905 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2906 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2914 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3856 http://openwall.com/lists/oss-security/2014/09/28/8 http://fishshell.com/release_notes.html https://lists.fedoraproject.org/pipermail/package-announce/2014-May/132618.html ======================== Updated packages in core/updates_testing: ======================== fish-2.1.1-1.mga4 from fish-2.1.1-1.mga4.src.rpm
CC: (none) => guillomovitchVersion: Cauldron => 4Assignee: guillomovitch => qa-bugsWhiteboard: MGA4TOO => (none)
Testing complete mga4 64 fish is a shell, like bash - http://fishshell.com/ github links on the openwall link show some details of the vulnerabilities. Testing what I can. $ fish Welcome to fish, the friendly interactive shell Type help for instructions on how to use fish claire@mega ~> Before ------ CVE-2014-3856: strace doesn't work here so just testing funced works. > funced test test> function test end ctrl-c CVE-2014-2906: diff two random files through psub (from man page) > strace -o strace.txt diff (sort min.pl|psub) (sort overflow.py|psub) > grep tmp strace.txt execve("/usr/bin/diff", ["diff", "/tmp/.psub.13369.21627", "/tmp/.psub.13369.8373"], [/* 93 vars */]) = 0 stat("/tmp/.psub.13369.21627", {st_mode=S_IFREG|0644, st_size=152, ...}) = 0 stat("/tmp/.psub.13369.8373", {st_mode=S_IFREG|0644, st_size=95, ...}) = 0 open("/tmp/.psub.13369.21627", O_RDONLY) = 3 open("/tmp/.psub.13369.8373", O_RDONLY) = 4 CVE-2014-2914: > fish_config Web config started at 'http://localhost:8000/'. Hit enter to stop. This opens the link in a browser to configure fish. It can be accessed from other computers though too. 127.0.0.1 - - [07/Oct/2014 15:02:50] code 404, message File not found 127.0.0.1 - - [07/Oct/2014 15:02:50] code 404, message File not found 192.168.25.170 - - [07/Oct/2014 15:04:22] code 404, message File not found 192.168.25.170 - - [07/Oct/2014 15:04:22] code 404, message File not found Exit the shell. > exit After ----- Funced still working.. > funced test test> function test end Filenames in tmp now more obscure.. > strace -o strace.txt diff (sort min.pl|psub) (sort overflow.py|psub) > grep tmp strace.txt execve("/usr/bin/diff", ["diff", "/tmp/.psub.ZV2DqpTtNz", "/tmp/.psub.EpfVLgrDkB"], [/* 96 vars */]) = 0 stat("/tmp/.psub.ZV2DqpTtNz", {st_mode=S_IFREG|0600, st_size=152, ...}) = 0 stat("/tmp/.psub.EpfVLgrDkB", {st_mode=S_IFREG|0600, st_size=95, ...}) = 0 open("/tmp/.psub.ZV2DqpTtNz", O_RDONLY) = 3 open("/tmp/.psub.EpfVLgrDkB", O_RDONLY) = 4 fish_config now inaccessible from other computers
Whiteboard: (none) => has_procedure mga4-64-ok
Also CVE-2014-2905.. Before ------ > fishd fishd: Connect to socket at /tmp/fishd.socket.claire fishd: Socket already exists, exiting # ll /tmp/fishd.socket.claire srwxr-xr-x 1 claire claire 0 Oct 7 15:35 /tmp/fishd.socket.claire= After ----- > fishd fishd: Connect to socket at /run/user/500/fishd.socket fishd: Socket already exists, exiting # ll /run/user/500/fishd.socket srwxr-xr-x 1 claire claire 0 Oct 7 15:37 /run/user/500/fishd.socket= # ll -d /run/user/500 drwx------ 6 claire claire 180 Oct 7 15:37 /run/user/500/ So the socket keeps the same permissions but is now in a directory accessible only to the user.
In VirtualBox, M3, KDE, 32-bit Package(s) under test: fish default install of fish [root@localhost wilcal]# urpmi fish Package fish-2.1.0-1.mga4.i586 is already installed [wilcal@localhost ~]$ fish Welcome to fish, the friendly interactive shell Type help for instructions on how to use fish wilcal@localhost ~> help Help opens install fish from updates_testing [root@localhost wilcal]# urpmi fish Package fish-2.1.1-1.mga4.i586 is already installed [wilcal@localhost ~]$ fish Welcome to fish, the friendly interactive shell Type help for instructions on how to use fish wilcal@localhost ~> help Help opens [wilcal@localhost ~]$ fishd fishd: Connect to socket at /run/user/500/fishd.socket Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
CC: (none) => wilcal.int
This is good to go. Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure mga4-64-ok => has_procedure mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: has_procedure mga4-32-ok mga4-64-ok => has_procedure advisory mga4-32-ok mga4-64-ok
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0404.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
LWN reference for CVE-2014-3219: http://lwn.net/Vulnerabilities/597866/ LWN reference for CVE-2014-3856: http://lwn.net/Vulnerabilities/615604/