Bug#1059235: bookworm-pu: package fish/3.6.0-3.1+deb12u1

To: 1059235@bugs.debian.org
Subject: Bug#1059235: bookworm-pu: package fish/3.6.0-3.1+deb12u1
From: "M. Zhou" <lumin@debian.org>
Date: Fri, 22 Dec 2023 23:59:22 -0500
Message-id: <[🔎] e2a44e34a226c6d85a6ad7680125316384f288cb.camel@debian.org>
Reply-to: "M. Zhou" <lumin@debian.org>, 1059235@bugs.debian.org
In-reply-to: <[🔎] ZYSys9hYDmIOYEAC@powdarrmonkey.net>
References: <[🔎] cf9a3075e557590cc468ef409cd4c3b2022cdf07.camel@debian.org> <[🔎] cf9a3075e557590cc468ef409cd4c3b2022cdf07.camel@debian.org> <[🔎] ZYSoz-eSC0cjPZcs@eldamar.lan> <[🔎] cf9a3075e557590cc468ef409cd4c3b2022cdf07.camel@debian.org> <[🔎] ZYSys9hYDmIOYEAC@powdarrmonkey.net> <[🔎] cf9a3075e557590cc468ef409cd4c3b2022cdf07.camel@debian.org>

On Thu, 2023-12-21 at 21:48 +0000, Jonathan Wiltshire wrote:
> Control: tag -1 confirmed
> 
> On Thu, Dec 21, 2023 at 10:06:23PM +0100, Salvatore Bonaccorso wrote:
> > Can you as well add  a bug closer for #1057455?
> 
> And a brief description of what the vulnerability actually is, please. You
> can go ahead with those changes.

Thanks. I added the missing information as follows, and will upload it shortly.


-------------------------------------------------------------------------------
diff --git a/debian/changelog b/debian/changelog
index 0c1065b..3f18ea1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,10 @@
 fish (3.6.0-3.1+deb12u1) bookworm; urgency=medium
 
-  * Cherry-pick upstream fix for CVE-2023-49284.
+  * Cherry-pick upstream fix for CVE-2023-49284. (Closes: #1057455)
+    fish shell uses certain Unicode non-characters internally for marking
+    wildcards and expansions. It will incorrectly allow these markers to be
+    read on command substitution output, rather than transforming them into
+    a safe internal representation.
 
  -- Mo Zhou <lumin@debian.org>  Thu, 21 Dec 2023 14:47:56 -0500
 
diff --git a/debian/patches/CVE-2023-49284.patch b/debian/patches/CVE-2023-49284.patch
index a6fb924..5830277 100644
--- a/debian/patches/CVE-2023-49284.patch
+++ b/debian/patches/CVE-2023-49284.patch
@@ -4,6 +4,16 @@ Description: fixes CVE-2023-49284
  The corresponding fix can be found at
  https://github.com/fish-shell/fish-shell/commit/09986f5563e31e2c900a606438f1d60d008f3a14
  This patch is rebased from the upstream fix.
+ .
+ fish shell uses certain Unicode non-characters internally for marking
+ wildcards and expansions. It will incorrectly allow these markers to be read
+ on command substitution output, rather than transforming them into a safe
+ internal representation.
+ .
+ While this may cause unexpected behavior with direct input (for example, echo
+ \UFDD2HOME has the same output as echo $HOME), this may become a minor security
+ problem if the output is being fed from an external program into a command
+ substitution where this output may not be expected.

Reply to:

References:
- Bug#1059235: bookworm-pu: package fish/3.6.0-3.1+deb12u1
  - From: "M. Zhou" <lumin@debian.org>
- Bug#1059235: bookworm-pu: package fish/3.6.0-3.1+deb12u1
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Bug#1059235: bookworm-pu: package fish/3.6.0-3.1+deb12u1
  - From: Jonathan Wiltshire <jmw@debian.org>

Prev by Date: Bug#1059345: bullseye-pu: package libdatetime-timezone-perl/1:2.47-1+2023d
Next by Date: Re: Planning for 12.5/11.9
Previous by thread: Bug#1059235: bookworm-pu: package fish/3.6.0-3.1+deb12u1
Next by thread: Processed: Re: Bug#1059235: bookworm-pu: package fish/3.6.0-3.1+deb12u1
Index(es):
- Date
- Thread