Bug#1059235: bookworm-pu: package fish/3.6.0-3.1+deb12u1
On Thu, 2023-12-21 at 21:48 +, Jonathan Wiltshire wrote: > Control: tag -1 confirmed > > On Thu, Dec 21, 2023 at 10:06:23PM +0100, Salvatore Bonaccorso wrote: > > Can you as well add a bug closer for #1057455? > > And a brief description of what the vulnerability actually is, please. You > can go ahead with those changes. Thanks. I added the missing information as follows, and will upload it shortly. --- diff --git a/debian/changelog b/debian/changelog index 0c1065b..3f18ea1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,10 @@ fish (3.6.0-3.1+deb12u1) bookworm; urgency=medium - * Cherry-pick upstream fix for CVE-2023-49284. + * Cherry-pick upstream fix for CVE-2023-49284. (Closes: #1057455) +fish shell uses certain Unicode non-characters internally for marking +wildcards and expansions. It will incorrectly allow these markers to be +read on command substitution output, rather than transforming them into +a safe internal representation. -- Mo Zhou Thu, 21 Dec 2023 14:47:56 -0500 diff --git a/debian/patches/CVE-2023-49284.patch b/debian/patches/CVE-2023-49284.patch index a6fb924..5830277 100644 --- a/debian/patches/CVE-2023-49284.patch +++ b/debian/patches/CVE-2023-49284.patch @@ -4,6 +4,16 @@ Description: fixes CVE-2023-49284 The corresponding fix can be found at https://github.com/fish-shell/fish-shell/commit/09986f5563e31e2c900a606438f1d60d008f3a14 This patch is rebased from the upstream fix. + . + fish shell uses certain Unicode non-characters internally for marking + wildcards and expansions. It will incorrectly allow these markers to be read + on command substitution output, rather than transforming them into a safe + internal representation. + . + While this may cause unexpected behavior with direct input (for example, echo + \UFDD2HOME has the same output as echo $HOME), this may become a minor security + problem if the output is being fed from an external program into a command + substitution where this output may not be expected.
Bug#1059235: bookworm-pu: package fish/3.6.0-3.1+deb12u1
Control: tag -1 confirmed On Thu, Dec 21, 2023 at 10:06:23PM +0100, Salvatore Bonaccorso wrote: > Can you as well add a bug closer for #1057455? And a brief description of what the vulnerability actually is, please. You can go ahead with those changes. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1059235: bookworm-pu: package fish/3.6.0-3.1+deb12u1
Hi, On Thu, Dec 21, 2023 at 03:16:22PM -0500, M. Zhou wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > User: release.debian@packages.debian.org > Usertags: pu > X-Debbugs-Cc: f...@packages.debian.org > Control: affects -1 + src:fish > > > [ Reason ] > > Cherry-pick upstream fix to CVE-2023-49284 > > [ Impact ] > > This is a low severity security issue that affects basically > all historical releases of fish. The upstream created new > releases (i.e. 3.6.2) solely for fixing this bug. > https://github.com/fish-shell/fish-shell/commits/Integration_3.6.2/ > So it would be good if we can integrate the fix into stable. > > > [ Tests ] > > The fix is already included in fish/3.6.4-1 (sid). > The rebased patch passed my local sbuild test. > I installed the package in a chroot and tested it. > > [ Risks ] > > low. > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > [ Changes ] > > Only one change. Please refer to the patch header for explanation. > > [ Other info ] > > diff -Nru fish-3.6.0/debian/changelog fish-3.6.0/debian/changelog > --- fish-3.6.0/debian/changelog 2023-05-01 13:01:01.0 -0400 > +++ fish-3.6.0/debian/changelog 2023-12-21 14:47:56.0 -0500 > @@ -1,3 +1,9 @@ > +fish (3.6.0-3.1+deb12u1) bookworm; urgency=medium > + > + * Cherry-pick upstream fix for CVE-2023-49284. Can you as well add a bug closer for #1057455? Regards, Salvatore
Bug#1059235: bookworm-pu: package fish/3.6.0-3.1+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: f...@packages.debian.org Control: affects -1 + src:fish [ Reason ] Cherry-pick upstream fix to CVE-2023-49284 [ Impact ] This is a low severity security issue that affects basically all historical releases of fish. The upstream created new releases (i.e. 3.6.2) solely for fixing this bug. https://github.com/fish-shell/fish-shell/commits/Integration_3.6.2/ So it would be good if we can integrate the fix into stable. [ Tests ] The fix is already included in fish/3.6.4-1 (sid). The rebased patch passed my local sbuild test. I installed the package in a chroot and tested it. [ Risks ] low. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Only one change. Please refer to the patch header for explanation. [ Other info ] diff -Nru fish-3.6.0/debian/changelog fish-3.6.0/debian/changelog --- fish-3.6.0/debian/changelog 2023-05-01 13:01:01.0 -0400 +++ fish-3.6.0/debian/changelog 2023-12-21 14:47:56.0 -0500 @@ -1,3 +1,9 @@ +fish (3.6.0-3.1+deb12u1) bookworm; urgency=medium + + * Cherry-pick upstream fix for CVE-2023-49284. + + -- Mo Zhou Thu, 21 Dec 2023 14:47:56 -0500 + fish (3.6.0-3.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru fish-3.6.0/debian/patches/CVE-2023-49284.patch fish-3.6.0/debian/patches/CVE-2023-49284.patch --- fish-3.6.0/debian/patches/CVE-2023-49284.patch 1969-12-31 19:00:00.0 -0500 +++ fish-3.6.0/debian/patches/CVE-2023-49284.patch 2023-12-21 14:44:13.0 -0500 @@ -0,0 +1,31 @@ +Description: fixes CVE-2023-49284 + The CVE report can be found at + https://github.com/fish-shell/fish-shell/security/advisories/GHSA-2j9r-pm96-wp4f + The corresponding fix can be found at + https://github.com/fish-shell/fish-shell/commit/09986f5563e31e2c900a606438f1d60d008f3a14 + This patch is rebased from the upstream fix. +diff --git a/src/common.cpp b/src/common.cpp +index baee97a..0e76bf1 100644 +--- a/src/common.cpp b/src/common.cpp +@@ -345,9 +345,7 @@ static wcstring str2wcs_internal(const char *in, const size_t in_len) { + } else { + ret = std::mbrtowc(, [in_pos], in_len - in_pos, ); + // Determine whether to encode this character with our crazy scheme. +-if (wc >= ENCODE_DIRECT_BASE && wc < ENCODE_DIRECT_BASE + 256) { +-use_encode_direct = true; +-} else if (wc == INTERNAL_SEPARATOR) { ++if (fish_reserved_codepoint(wc)) { + use_encode_direct = true; + } else if (ret == static_cast(-2)) { + // Incomplete sequence. +@@ -1323,6 +1321,9 @@ maybe_t read_unquoted_escape(const wc + } + + if (result_char_or_none.has_value()) { ++if (fish_reserved_codepoint(*result_char_or_none)) { ++return none(); ++} + result->push_back(*result_char_or_none); + } + diff -Nru fish-3.6.0/debian/patches/series fish-3.6.0/debian/patches --- fish-3.6.0/debian/patches/series2023-05-01 13:01:01. +++ fish-3.6.0/debian/patches/series2023-12-21 14:44:23. @@ -1,3 +1,4 @@ 0001-reader-make-Escape-during-history-search-restore-com.patch 0002-reader-Remove-assert-in-history-search.patch 0003-workaround-for-Midnight-Commander.patch +CVE-2023-49284.patch