openSUSE has issued an advisory today (March 31): https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SRNZU5M6WR5TPTNDAIMOYXCJP2ONI4FB/ The issue is fixed upstream in 3.4.0: https://github.com/fish-shell/fish-shell/security/advisories/GHSA-pj5f-6vxj-f5mq https://github.com/fish-shell/fish-shell/releases/tag/3.4.0 Mageia 8 is also affected.
guillomovitch looks after 'fish', so assigning to you.
Assignee: bugsquad => guillomovitch
Assignee: guillomovitch => bugsquadStatus comment: (none) => Fixed upstream in 3.4.0Whiteboard: (none) => MGA8TOO
Fedora has issued an advisory for this today (April 4): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TRNMYS2LKB6TKOOBQQRSRQICDMWLZ4QL/ They updated to 3.4.1.
Severity: normal => major
Updated packages uploaded for Mageia 8 and Cauldron by Guillaume. fish-3.4.1-1.mga8 from fish-3.4.1-1.mga8.src.rpm
Assignee: guillomovitch => qa-bugsVersion: Cauldron => 8Whiteboard: MGA8TOO => (none)Status comment: Fixed upstream in 3.4.0 => (none)CC: (none) => guillomovitch
mga8, x64 Updated from fish version 3.1. Opened a fish shell from the bash command line. $ fish Welcome to fish, the friendly interactive shell Type `help` for instructions on how to use fish lcl@difda ~/bin (master)> help That opened the help page in a browser. Syntax highlighting works. bash commands like launchGUIs work. Command completion works. So does command recall. Tried: > bash -c "ls ../qa | wc -l" 518 > echo hello world hello world This failed: > open ~/Pictures/TwoWorldsOneSun_Bouic.jpg open: Failed to open /dev/console : Permission denied <In caja in Mate clicking the image displays it with eom> > cd ~/intray > open bookmarks.html open: Failed to open /dev/console : Permission denied Note that xdg-utils is installed but I rarely set user preferences for anything so am relying on the desktop environment defaults. open sounds like a very useful command so I am reluctant to pass this update without some reassurance from other users.
CC: (none) => tarazed25
I tried tester8@mach5 ~> open Pictures/D078.jpg and that returns nothing and does nothing. The info I find says "opens with the default application", but is fish aware of the desktop in use? If I use Plasma or Xfce on the same installation, the default application can be different as far as I remember. I could not find easily where such configuration for fish might be found. I tried tester8@mach5 ~> dirh /home/tester8 tester8@mach5 ~> cd Pictures/ tester8@mach5 ~/Pictures> cd ../Documents/ tester8@mach5 ~/Documents> dirh 2) /home/tester8 1) /home/tester8/Pictures /home/tester8/Documents and that looks good. I've never done anything with xdg that I'm aware off. Tried $ xdg-mime default ristretto.desktop image/jpg [tester8@mach5 ~]$ fish Welcome to fish, the friendly interactive shell Type help for instructions on how to use fish tester8@mach5 ~> open Pictures/D078.jpg But no return as before. And indeed: $ xdg-mime query default image/jpg returns nothing This seems to require more knwledge on xdg than I have......
CC: (none) => herman.viaene
Thanks Herman for following up on this. I have to agree that this requires a little more knowledge of what goes on under the hood so I am sending it on. It is generally functional.
Whiteboard: (none) => MGA8-64-OK
Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Advisory committed to svn as ... type: security subject: Updated fish packages fix security vulnerability CVE: - CVE-2022-20001 src: 8: core: - fish-3.4.1-1.mga8 description: | Arbitrary Code Execution. (CVE-2022-20001) references: - https://bugs.mageia.org/show_bug.cgi?id=30227 - https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SRNZU5M6WR5TPTNDAIMOYXCJP2ONI4FB/ - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TRNMYS2LKB6TKOOBQQRSRQICDMWLZ4QL/
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0181.html
Status: NEW => RESOLVEDResolution: (none) => FIXED