Does this have any relation to the 'Shellshock' bug found in Bash recently? Did Fish borrow code from Bash that inherits the bug?
-- Luciano ES >> ************************** On Fri, 26 Sep 2014 21:28:05 +0800 (WST), David Adam wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi all, > > It's been some months, but I am pleased to announce the release of > fish shell 2.1.1. > > This is a security release, and fixes a number of local privilege > escalation and one remote code execution problem. I strongly > encourage all users to upgrade ASAP. > > New source and binary packages will shortly be available from > http://fishshell.com/ - it takes a little time to build packages for > all platforms so check back in the next day or two if your platform > is not available. > > The SHA-1 checksum for fish-2.1.1.tar.gz is > 8f97f39b92ea7dfef1f464b18e304045bf37546d. > > Importantly, you should stop all running instances of `fishd` once > the update is installed - packages published on fishshell.com will do > this for you, but if you are building from source you need to do this > manually (e.g. with `pkill fishd` or `killall fishd`). It will > automatically be restarted, but is required to avoid losing universal > variables. > > If you are using a platform that sets `$XDG_RUNTIME_DIR`, you should > restart all running fish instances as well. Fedora 20 is one such > distribution; `echo $XDG_RUNTIME_DIR` at a fish prompt should show > you if yours does. > > If you are packaging this software for a distribution, I ask that you > include a postinstallation script that does this for your users. > > The full details of the security problems are as follows: > > CVE-2014-2905: fish universal variable socket vulnerable to > permission bypass leading to privilege escalation > > fish, from at least version 1.16.0 to version 2.1.0 (inclusive), > does not check the credentials of processes communicating over the > fishd universal variable server UNIX domain socket. This allows a > local attacker to elevate their privileges to those of a target user > running fish, including root. > > fish version 2.1.1 is not vulnerable. > > No workaround is currently available for earlier versions of fish. > > https://github.com/fish-shell/fish-shell/issues/1436 > > CVE-2014-2906 and CVE-2014-3856: fish temporary file creation > vulnerable to race condition leading to privilege escalation > > fish, from at least version 1.16.0 to version 2.1.0 (inclusive), > creates temporary files in an insecure manner. > > Versions 1.23.0 to 2.1.0 (inclusive) execute code via `funced` from > these temporary files, allowing privilege escalation to those of any > user running fish, including root. (CVE-2014-3856) > > Additionally, from at least version 1.16.0 to version 2.1.0 > (inclusive), fish will read data using the psub function from these > temporary files, meaning that the input of commands used with the > psub function is under the control of the attacker. (CVE-2014-2906) > > fish version 2.1.1 is not vulnerable. > > No workaround is currently available for earlier versions of fish. > > https://github.com/fish-shell/fish-shell/issues/1437 > > CVE-2014-2914: fish web interface does not restrict access leading to > remote code execution > > fish, from version 2.0.0 to version 2.1.0 (inclusive), fails to > restrict connections to the Web-based configuration service > (fish_config). This allows remote attackers to execute arbitrary code > in the context of the user running fish_config. > > The service is generally only running for short periods of time. > > fish version 2.1.1 is not vulnerable. > > No workaround is currently available for earlier versions of fish, > although the use of the fish_config tool is optional as other > interfaces to fish configuration are available. > > https://github.com/fish-shell/fish-shell/issues/1438 > > CVE-2014-3219: fish temporary file access leading to privilege > escalation > > fish, from at least version 1.16.0 to version 2.1.0 (inclusive), > uses temporary files in an insecure manner. > > fish will read and write completions from these temporary files > without checking for ownership or symbolic links, allowing data > corruption. > > fish version 2.1.1 is not vulnerable. > > No workaround is currently available for earlier versions of fish. > > https://github.com/fish-shell/fish-shell/issues/1440 > > David Adam > fish committer > zanc...@ucc.gu.uwa.edu.au > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.12 (GNU/Linux) > > iQIcBAEBAgAGBQJUJWeHAAoJEMC5abKXToiO+68P/jAV46dgFr6gWcwbgdwoHSD3 > 3NbowiEj8+vmxbDY/+7UqLkdyrDahKTFJeu1jQieOlQygNyVzQ/nprqcL0xzvH5T > Xjc4z0umW/FXDlOM+jjczfiryuhcqA7N30c+4gkyIyybmE2k/k+PhDD182npXaQn > +32B+SVKKf1vRQxBM2gDXNskjzsxZF2IoNiX+Medx4DtxCGpdoSmplUyeqEotgzr > rRGdV/QoOhRh4AgSqVknwjgaQrFDe31UXexhKZ56Qm7feZNPNjnOwNzcxXOWBexD > VhFBz5TwekCVckj4vAdLLBia9eskykjEFm61Et2w6lBjb4n3+VxMoQiKP/MUw0bk > qjGUaZU4Wt0fpep0FN0AOfQfAJ8v6XrZyRt0JmGvCf71Fgrp3IrmGP7AH9x6magf > XbJRiKDyj2mL+l5RA9/dYR1YXHSi0m6stNJa2mqOC3uIwuFRlfkNKxKvjk7kWgVw > iLRfM7nQOhJouMSNhE4t5iwQ9GkTRVZtFI3JipY6eI8BQiikiyigs0XwS3p6auqk > OdfLItIlA+v8NYtKT87lN7Q+soUL0ehCrfItNrAuN/Yj004l19kURlFAFcfPOjvQ > G1um1JAI81L3SFx4o7LI+4mlfBssVqQrkcoHsGRqDwIHNYAU4DteW9ViGAT+sITB > RqN6vDzUyRRhBMPiXr/g > =xkj7 > -----END PGP SIGNATURE----- > > ------------------------------------------------------------------------------ > Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer > Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS > Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download > White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with > EventLog Analyzer > http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk > _______________________________________________ Fish-users mailing > list Fish-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fish-users ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ Fish-users mailing list Fish-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fish-users
