Source: fish Version: 3.6.1-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for fish. CVE-2023-49284[0]: | fish is a smart and user-friendly command line shell for macOS, | Linux, and the rest of the family. fish shell uses certain Unicode | non-characters internally for marking wildcards and expansions. It | will incorrectly allow these markers to be read on command | substitution output, rather than transforming them into a safe | internal representation. While this may cause unexpected behavior | with direct input (for example, echo \UFDD2HOME has the same output | as echo $HOME), this may become a minor security problem if the | output is being fed from an external program into a command | substitution where this output may not be expected. This design flaw | was introduced in very early versions of fish, predating the version | control system, and is thought to be present in every version of | fish released in the last 15 years or more, although with different | characters. Code execution does not appear to be possible, but | denial of service (through large brace expansion) or information | disclosure (such as variable expansion) is potentially possible | under certain circumstances. fish shell 3.6.2 has been released to | correct this issue. Users are advised to upgrade. There are no known | workarounds for this vulnerability. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-49284 https://www.cve.org/CVERecord?id=CVE-2023-49284 [1] https://github.com/fish-shell/fish-shell/security/advisories/GHSA-2j9r-pm96-wp4f [2] https://github.com/fish-shell/fish-shell/commit/09986f5563e31e2c900a606438f1d60d008f3a14 Please adjust the affected versions in the BTS as needed. Regards, Salvatore