Command substitution output can trigger shell expansion. https://github.com/fish-shell/fish-shell/security/advisories/GHSA-2j9r-pm96-wp4f Fixed in version 3.6.2, however version 3.6.3 and 3.6.4 was released to fix an error in the test suite.
Cauldron has been updated to version 3.6.4.
Version: Cauldron => 9Whiteboard: (none) => MGA8TOOCVE: (none) => CVE-2023-49284
Advisory ======== Upstream released version 3.6.4 to fix CVE-2023-49284. CVE-2023-49284: fish shell uses certain Unicode non-characters internally for marking wildcards and expansions. It will incorrectly allow these markers to be read on command substitution output, rather than transforming them into a safe internal representation. References ========== https://github.com/fish-shell/fish-shell/security/advisories/GHSA-2j9r-pm96-wp4f Files ===== Uploaded to core/updates_testing fish-3.6.4-1.mga9 from fish-3.6.4-1.mga9.src.rpm
Advisory ======== Backported an upstream patch to fix CVE-2023-49284. CVE-2023-49284: fish shell uses certain Unicode non-characters internally for marking wildcards and expansions. It will incorrectly allow these markers to be read on command substitution output, rather than transforming them into a safe internal representation. References ========== https://github.com/fish-shell/fish-shell/security/advisories/GHSA-2j9r-pm96-wp4f Files ===== Uploaded to core/updates_testing fish-3.4.1-1.1.mga8 from fish-3.4.1-1.1.mga8.src.rpm
Assignee: smelror => qa-bugs
CC: (none) => marja11Source RPM: (none) => fish
Merged Advisory from comment 2 and comment 3 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"
Keywords: (none) => advisory
Mageia8, x86_64 $ rpm -q fish fish-3.4.1-1.mga8 $ cat foo.py print("\ufdd2HOME") $ fish Welcome to fish, the friendly interactive shell Type help for instructions on how to use fish lcl@canopus ~> echo $(python3 foo.py) /home/lcl lcl@canopus ~> exit $ Don't know what other prefixes to use. Installed the update. $ fish Welcome to fish, the friendly interactive shell Type help for instructions on how to use fish lcl@canopus ~> echo $(python3 foo.py) lcl@canopus ~> exit So that simply shows a blank line. Maybe that is what is intended. If so then this update is OK for Mageia8.
Whiteboard: MGA8TOO => MGA8TOOCC: (none) => tarazed25
Switched back to Mageia9. Installed fish-3.6.1-1. $ fish Welcome to fish, the friendly interactive shell Type help for instructions on how to use fish lcl@canopus ~> echo $(python foo.py) /home/lcl lcl@canopus ~> exit $ Updated to fish-3.6.4-1.mga9. $ fish lcl@canopus ~> echo $(python foo.py) HOME lcl@canopus ~> exit $ echo $(python foo.py) HOME So the prefix code is output in harmless fashion in fish and bash shells.Good for Mageia 9.
Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK MGA9-64-OK
Switched back to Mageia9. Installed fish-3.6.1-1. $ fish Welcome to fish, the friendly interactive shell Type help for instructions on how to use fish lcl@canopus ~> echo $(python foo.py) /home/lcl lcl@canopus ~> exit $ Updated to fish-3.6.4-1.mga9. $ fish lcl@canopus ~> echo $(python foo.py) HOME lcl@canopus ~> exit $ echo $(python foo.py) HOME So the prefix code is output in harmless fashion in fish and bash shells. Good for Mageia 9.
When I tried to submit this the system issued this error report: "\x{fdd2}" does not map to UTF-8 at /usr/lib64/perl5/Encode.pm line 199, <DATA> line 755. After two attempts I substituted <something> for the little square with FDD2 in 2x2 format and tried again and the two initial versions materialised. ???
(In reply to Len Lawrence from comment #9) > When I tried to submit this the system issued this error report: > > "\x{fdd2}" does not map to UTF-8 at /usr/lib64/perl5/Encode.pm line 199, > <DATA> line 755. > > After two attempts I substituted <something> for the little square with FDD2 > in 2x2 format and tried again and the two initial versions materialised. ??? I Hide one of them
And I get the same warning that Len Lawrence in comment#9, I just close the tab and open this bug again :S
Confirmed that the update fix the issue on Mageia 9
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA8TOO MGA8-64-OK MGA9-64-OK => MGA8-64-OK MGA9-64-OK
Source RPM: fish => fish-3.4.1-1.mga8.src.rpm,fish-3.6.1-1.mga9.src.rpm
Testing if we have a bug related with comment#5
(In reply to katnatek from comment #13) > Testing if we have a bug related with comment#5 If that is the cause (no other bug have the issue reported in comment#9) mark as obsolete is not enough
Another test hiding comment#6 and comment#7
(In reply to katnatek from comment #15) > Another test hiding comment#6 and comment#7 Not enough/Not the cause
(In reply to Len Lawrence from comment #9) > When I tried to submit this the system issued this error report: > > "\x{fdd2}" does not map to UTF-8 at /usr/lib64/perl5/Encode.pm line 199, > <DATA> line 755. Yes, Bugzilla didn't like \x{fdd2} in comment 6 (and now in comments 7 and 8 as well) and the emails have not been sent. Now everytime you write a new comment, it will try to resend the older comments and will fail again.
i open a new bug, this is now tainted bug#32609
Resolution: (none) => WONTFIXKeywords: advisory, validated_update => (none)Status: NEW => RESOLVED
Why are you closing this bug as WONTFIX? Bug 32609 is about Bugzilla. This bug is about fish.
Keywords: (none) => advisory, validated_update
Status: RESOLVED => REOPENEDResolution: WONTFIX => (none)
Duplicate 32614 was created because of an issue with this report *** This bug has been marked as a duplicate of bug 32614 ***
Resolution: (none) => DUPLICATEStatus: REOPENED => RESOLVED