Security
Headlines
HeadlinesLatestCVEs

Headline

Gentoo Linux Security Advisory 202309-10

Gentoo Linux Security Advisory 202309-10 - A vulnerability was discovered in Fish when handling git repository configuration that may lead to execution of arbitrary code Versions greater than or equal to 3.4.0 are affected.

Packet Storm
Open in Source
#vulnerability#web#mac#linux#git

Gentoo Linux Security Advisory GLSA 202309-10

                                       https://security.gentoo.org/

Severity: Normal
Title: Fish: User-assisted execution of arbitrary code
Date: September 29, 2023
Bugs: #835337
ID: 202309-10

Synopsis

A vulnerability was discovered in Fish when handling git repository
configuration that may lead to execution of arbitrary code

Background

Smart and user-friendly command line shell for macOS, Linux, and the
rest of the family. It includes features like syntax highlighting,
autosuggest-as-you-type, and fancy tab completions that just work, with
no configuration required.

Affected packages

Package Vulnerable Unaffected

app-shells/fish < 3.4.0 >= 3.4.0

Description

A vulnerability have been discovered in Fish. Please review the CVE
identifiers referenced below for details.

Impact

A user may be enticed to cd into a git repository under control by an
attacker (e.g. on a shared filesystem or by unpacking an archive) and
execute arbitrary commands.

Workaround

There is no known workaround at this time.

Resolution

All fish users should upgrade to the latest version:

emerge --sync

emerge --ask --oneshot --verbose “>=app-shells/fish-3.4.0”

References

[ 1 ] CVE-2022-20001
https://nvd.nist.gov/vuln/detail/CVE-2022-20001

Availability

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202309-10

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users’ machines is of utmost
importance to us. Any security concerns should be addressed to
[email protected] or alternatively, you may file a bug at
https://bugs.gentoo.org.

License

Copyright 2023 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Related news

CVE-2022-20001: fish_git_prompt: be careful about git config by ridiculousfish · Pull Request #8589 · fish-shell/fish-shell

fish is a command line shell. fish version 3.1.0 through version 3.3.1 is vulnerable to arbitrary code execution. git repositories can contain per-repository configuration that change the behavior of git, including running arbitrary commands. When using the default configuration of fish, changing to a directory automatically runs `git` commands in order to display information about the current repository in the prompt. If an attacker can convince a user to change their current directory into one controlled by the attacker, such as on a shared file system or extracted archive, fish will run arbitrary commands under the attacker's control. This problem has been fixed in fish 3.4.0. Note that running git in these directories, including using the git tab completion, remains a potential trigger for this issue. As a workaround, remove the `fish_git_prompt` function from the prompt.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution
Packet Storm