Bug#1059235: bookworm-pu: package fish/3.6.0-3.1+deb12u1
On Thu, 2023-12-21 at 21:48 +, Jonathan Wiltshire wrote: > Control: tag -1 confirmed > > On Thu, Dec 21, 2023 at 10:06:23PM +0100, Salvatore Bonaccorso wrote: > > Can you as well add a bug closer for #1057455? > > And a brief description of what the vulnerability actually is, please. You > can go ahead with those changes. Thanks. I added the missing information as follows, and will upload it shortly. --- diff --git a/debian/changelog b/debian/changelog index 0c1065b..3f18ea1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,10 @@ fish (3.6.0-3.1+deb12u1) bookworm; urgency=medium - * Cherry-pick upstream fix for CVE-2023-49284. + * Cherry-pick upstream fix for CVE-2023-49284. (Closes: #1057455) +fish shell uses certain Unicode non-characters internally for marking +wildcards and expansions. It will incorrectly allow these markers to be +read on command substitution output, rather than transforming them into +a safe internal representation. -- Mo Zhou Thu, 21 Dec 2023 14:47:56 -0500 diff --git a/debian/patches/CVE-2023-49284.patch b/debian/patches/CVE-2023-49284.patch index a6fb924..5830277 100644 --- a/debian/patches/CVE-2023-49284.patch +++ b/debian/patches/CVE-2023-49284.patch @@ -4,6 +4,16 @@ Description: fixes CVE-2023-49284 The corresponding fix can be found at https://github.com/fish-shell/fish-shell/commit/09986f5563e31e2c900a606438f1d60d008f3a14 This patch is rebased from the upstream fix. + . + fish shell uses certain Unicode non-characters internally for marking + wildcards and expansions. It will incorrectly allow these markers to be read + on command substitution output, rather than transforming them into a safe + internal representation. + . + While this may cause unexpected behavior with direct input (for example, echo + \UFDD2HOME has the same output as echo $HOME), this may become a minor security + problem if the output is being fed from an external program into a command + substitution where this output may not be expected.
Bug#1059235: bookworm-pu: package fish/3.6.0-3.1+deb12u1
Control: tag -1 confirmed On Thu, Dec 21, 2023 at 10:06:23PM +0100, Salvatore Bonaccorso wrote: > Can you as well add a bug closer for #1057455? And a brief description of what the vulnerability actually is, please. You can go ahead with those changes. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1059235: bookworm-pu: package fish/3.6.0-3.1+deb12u1
Hi, On Thu, Dec 21, 2023 at 03:16:22PM -0500, M. Zhou wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > User: release.debian@packages.debian.org > Usertags: pu > X-Debbugs-Cc: f...@packages.debian.org > Control: affects -1 + src:fish > > > [ Reason ] > > Cherry-pick upstream fix to CVE-2023-49284 > > [ Impact ] > > This is a low severity security issue that affects basically > all historical releases of fish. The upstream created new > releases (i.e. 3.6.2) solely for fixing this bug. > https://github.com/fish-shell/fish-shell/commits/Integration_3.6.2/ > So it would be good if we can integrate the fix into stable. > > > [ Tests ] > > The fix is already included in fish/3.6.4-1 (sid). > The rebased patch passed my local sbuild test. > I installed the package in a chroot and tested it. > > [ Risks ] > > low. > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > [ Changes ] > > Only one change. Please refer to the patch header for explanation. > > [ Other info ] > > diff -Nru fish-3.6.0/debian/changelog fish-3.6.0/debian/changelog > --- fish-3.6.0/debian/changelog 2023-05-01 13:01:01.0 -0400 > +++ fish-3.6.0/debian/changelog 2023-12-21 14:47:56.0 -0500 > @@ -1,3 +1,9 @@ > +fish (3.6.0-3.1+deb12u1) bookworm; urgency=medium > + > + * Cherry-pick upstream fix for CVE-2023-49284. Can you as well add a bug closer for #1057455? Regards, Salvatore
Bug#1059235: bookworm-pu: package fish/3.6.0-3.1+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: f...@packages.debian.org
Control: affects -1 + src:fish
[ Reason ]
Cherry-pick upstream fix to CVE-2023-49284
[ Impact ]
This is a low severity security issue that affects basically
all historical releases of fish. The upstream created new
releases (i.e. 3.6.2) solely for fixing this bug.
https://github.com/fish-shell/fish-shell/commits/Integration_3.6.2/
So it would be good if we can integrate the fix into stable.
[ Tests ]
The fix is already included in fish/3.6.4-1 (sid).
The rebased patch passed my local sbuild test.
I installed the package in a chroot and tested it.
[ Risks ]
low.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Only one change. Please refer to the patch header for explanation.
[ Other info ]
diff -Nru fish-3.6.0/debian/changelog fish-3.6.0/debian/changelog
--- fish-3.6.0/debian/changelog 2023-05-01 13:01:01.0 -0400
+++ fish-3.6.0/debian/changelog 2023-12-21 14:47:56.0 -0500
@@ -1,3 +1,9 @@
+fish (3.6.0-3.1+deb12u1) bookworm; urgency=medium
+
+ * Cherry-pick upstream fix for CVE-2023-49284.
+
+ -- Mo Zhou Thu, 21 Dec 2023 14:47:56 -0500
+
fish (3.6.0-3.1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru fish-3.6.0/debian/patches/CVE-2023-49284.patch
fish-3.6.0/debian/patches/CVE-2023-49284.patch
--- fish-3.6.0/debian/patches/CVE-2023-49284.patch 1969-12-31
19:00:00.0 -0500
+++ fish-3.6.0/debian/patches/CVE-2023-49284.patch 2023-12-21
14:44:13.0 -0500
@@ -0,0 +1,31 @@
+Description: fixes CVE-2023-49284
+ The CVE report can be found at
+
https://github.com/fish-shell/fish-shell/security/advisories/GHSA-2j9r-pm96-wp4f
+ The corresponding fix can be found at
+
https://github.com/fish-shell/fish-shell/commit/09986f5563e31e2c900a606438f1d60d008f3a14
+ This patch is rebased from the upstream fix.
+diff --git a/src/common.cpp b/src/common.cpp
+index baee97a..0e76bf1 100644
+--- a/src/common.cpp
b/src/common.cpp
+@@ -345,9 +345,7 @@ static wcstring str2wcs_internal(const char *in, const
size_t in_len) {
+ } else {
+ ret = std::mbrtowc(, [in_pos], in_len - in_pos, );
+ // Determine whether to encode this character with our crazy
scheme.
+-if (wc >= ENCODE_DIRECT_BASE && wc < ENCODE_DIRECT_BASE + 256) {
+-use_encode_direct = true;
+-} else if (wc == INTERNAL_SEPARATOR) {
++if (fish_reserved_codepoint(wc)) {
+ use_encode_direct = true;
+ } else if (ret == static_cast(-2)) {
+ // Incomplete sequence.
+@@ -1323,6 +1321,9 @@ maybe_t read_unquoted_escape(const wc
+ }
+
+ if (result_char_or_none.has_value()) {
++if (fish_reserved_codepoint(*result_char_or_none)) {
++return none();
++}
+ result->push_back(*result_char_or_none);
+ }
+
diff -Nru fish-3.6.0/debian/patches/series fish-3.6.0/debian/patches
--- fish-3.6.0/debian/patches/series2023-05-01 13:01:01.
+++ fish-3.6.0/debian/patches/series2023-12-21 14:44:23.
@@ -1,3 +1,4 @@
0001-reader-make-Escape-during-history-search-restore-com.patch
0002-reader-Remove-assert-in-history-search.patch
0003-workaround-for-Midnight-Commander.patch
+CVE-2023-49284.patch
