--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bookworm-pu: package fish/3.6.0-3.1+deb12u1
- From: "M. Zhou" <lumin@debian.org>
- Date: Thu, 21 Dec 2023 15:16:22 -0500
- Message-id: <cf9a3075e557590cc468ef409cd4c3b2022cdf07.camel@debian.org>
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: fish@packages.debian.org
Control: affects -1 + src:fish
[ Reason ]
Cherry-pick upstream fix to CVE-2023-49284
[ Impact ]
This is a low severity security issue that affects basically
all historical releases of fish. The upstream created new
releases (i.e. 3.6.2) solely for fixing this bug.
https://github.com/fish-shell/fish-shell/commits/Integration_3.6.2/
So it would be good if we can integrate the fix into stable.
[ Tests ]
The fix is already included in fish/3.6.4-1 (sid).
The rebased patch passed my local sbuild test.
I installed the package in a chroot and tested it.
[ Risks ]
low.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Only one change. Please refer to the patch header for explanation.
[ Other info ]
diff -Nru fish-3.6.0/debian/changelog fish-3.6.0/debian/changelog
--- fish-3.6.0/debian/changelog 2023-05-01 13:01:01.000000000 -0400
+++ fish-3.6.0/debian/changelog 2023-12-21 14:47:56.000000000 -0500
@@ -1,3 +1,9 @@
+fish (3.6.0-3.1+deb12u1) bookworm; urgency=medium
+
+ * Cherry-pick upstream fix for CVE-2023-49284.
+
+ -- Mo Zhou <lumin@debian.org> Thu, 21 Dec 2023 14:47:56 -0500
+
fish (3.6.0-3.1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru fish-3.6.0/debian/patches/CVE-2023-49284.patch fish-3.6.0/debian/patches/CVE-2023-49284.patch
--- fish-3.6.0/debian/patches/CVE-2023-49284.patch 1969-12-31 19:00:00.000000000 -0500
+++ fish-3.6.0/debian/patches/CVE-2023-49284.patch 2023-12-21 14:44:13.000000000 -0500
@@ -0,0 +1,31 @@
+Description: fixes CVE-2023-49284
+ The CVE report can be found at
+ https://github.com/fish-shell/fish-shell/security/advisories/GHSA-2j9r-pm96-wp4f
+ The corresponding fix can be found at
+ https://github.com/fish-shell/fish-shell/commit/09986f5563e31e2c900a606438f1d60d008f3a14
+ This patch is rebased from the upstream fix.
+diff --git a/src/common.cpp b/src/common.cpp
+index baee97a..0e76bf1 100644
+--- a/src/common.cpp
++++ b/src/common.cpp
+@@ -345,9 +345,7 @@ static wcstring str2wcs_internal(const char *in, const size_t in_len) {
+ } else {
+ ret = std::mbrtowc(&wc, &in[in_pos], in_len - in_pos, &state);
+ // Determine whether to encode this character with our crazy scheme.
+- if (wc >= ENCODE_DIRECT_BASE && wc < ENCODE_DIRECT_BASE + 256) {
+- use_encode_direct = true;
+- } else if (wc == INTERNAL_SEPARATOR) {
++ if (fish_reserved_codepoint(wc)) {
+ use_encode_direct = true;
+ } else if (ret == static_cast<size_t>(-2)) {
+ // Incomplete sequence.
+@@ -1323,6 +1321,9 @@ maybe_t<size_t> read_unquoted_escape(const wc
+ }
+
+ if (result_char_or_none.has_value()) {
++ if (fish_reserved_codepoint(*result_char_or_none)) {
++ return none();
++ }
+ result->push_back(*result_char_or_none);
+ }
+
diff -Nru fish-3.6.0/debian/patches/series fish-3.6.0/debian/patches
--- fish-3.6.0/debian/patches/series 2023-05-01 13:01:01.00000000
+++ fish-3.6.0/debian/patches/series 2023-12-21 14:44:23.00000000
@@ -1,3 +1,4 @@
0001-reader-make-Escape-during-history-search-restore-com.patch
0002-reader-Remove-assert-in-history-search.patch
0003-workaround-for-Midnight-Commander.patch
+CVE-2023-49284.patch
--- End Message ---