[Slackbuilds-users] [Fish-users] fish 3.6.2 and 3.6.3 released - security fix

Mon Dec 4 17:08:22 UTC 2023

Have updated the SlackBuild for Slackware

Den mån 4 dec. 2023 kl 17:58 skrev David Adam <zanchey at ucc.gu.uwa.edu.au>:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hi all,
>
> I'm pleased to announce the release of fish 3.6.2, which contains a fix
> for a bug with a potential security impact, and fish 3.6.3, which contains
> a test suite that passes properly (but no other changes).
>
> CVE-2023-49284 has been assigned for a problem in fish where certain
> Unicode non-characters are used internally for marking wildcards and
> expansions. It will incorrectly allow these markers to be read on
> command substitution output, rather than transforming them into a safe
> internal representation.
>
> While this may cause unexpected behavior with direct input (for example,
> `echo \UFDD2HOME` has the same output as `echo $HOME`), this may become
> a minor security problem if the output is being fed from an external
> program into a command substitution where this output may not be
> expected.
>
> This design flaw was introduced in very early versions of fish,
> predating the version control system, and is thought to be present in
> every version of fish released in the last 15 years or more, although
> with different characters.
>
> Code execution does not appear to be possible, but denial of service
> (through large brace expansion) or information disclosure (such as
> variable expansion) is potentially possible under certain circumstances.
>
> The tarball and packages for Linux, macOS and Windows will soon be
> available from https://fishshell.com/ and the release notes will be at
> https://fishshell.com/release_notes.html - but in the meantime I have
> uploaded the release to the GitHub releases page at:
>   https://github.com/fish-shell/fish-shell/releases/tag/3.6.3
>
> The Linux packages will be submitted to the release:3 channel, and if
> you are using your system package manager to install fish from these
> channels a new version will make its way to you soon. If you'd like to use
> this method, the links are:
>   https://launchpad.net/~fish-shell/+archive/ubuntu/release-3 (Ubuntu)
>   https://software.opensuse.org//download.html?project=shells%3Afish%3Arelease%3A3&package=fish
>   (Debian, Fedora, openSUSE and Red Hat Enterprise Linux)
>
> A pull request for Homebrew has been submitted, making the new version
> available soon via upgrading or running `brew install fish`.
>
> For our distributors, the tarball is available at
> https://github.com/fish-shell/fish-shell/releases/download/3.6.3/fish-3.6.3.tar.xz
> The SHA-256 sum is
> 55520128c8ef515908a3821423b430db9258527a6c6acb61c7cb95626b5a48d5 and the
> tarball has a signature from my personal PGP key, as does this message.
>
> May you always remember to run the test suite in the directory
> containing the release, not elsewhere.
>
> Thanks,
>
> David Adam
> fish committer
> zanchey at ucc.gu.uwa.edu.au
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAEBCgAdFiEEnh3gZzzMAykZ0YUmwLlpspdOiI4FAmVt/ysACgkQwLlpspdO
> iI5RIxAAo4jMrjQPUBnZgdKRCF5ZgADzFfXCNGFUqtarhFpY3fP6urAw+w0XfMJA
> I4mUyxy1dHQx1ef22ct5bcfIo6W9PNBKHNGnIS31xPn7243p6E0rVSlPthM/4TB1
> ZWplls0UBmXbdddSw7TbcO/wFZO5tnBX0KutyZ6Vm4Gn/DVJY87HPjb8qokBMmtD
> Yfw8NSIP+LlmPzIkS8KlXWoKBHQ7rHR50lNvJTfNlknDG8rnr7rP9uRUHmdvEP8R
> FatN7pGOzkYfk2zCH9ZijCYdUWe7HySerYz7LTRVT2lLmjcUstBXtSv/ZW5QGHdM
> jqZVI6JOFke6Hb2v7tOWtqRYzwW7XibXQEWEAVee+bQPxjlj2/6efxKt+OOBk4R/
> FowOUCCdPFpm8PaFJ/ogjZRkMAuTgx+EZ3I8j6E4BGxHlZgGdrNaGDa8QVjG7pgC
> 4NOO+MXuWcef+pf4nKWiEntsVmM21nFuu+N8OyPN/x1jCih6E2kFGSz3a1V94bKl
> b1+hf27kZjHE3iS6fFCRRhWOutrzXklsr4dwH14/HSSbVZl+aEOJ6q5WoNgWsoyO
> 0RqVlJc3z4cdJCMrqIjXo7+FCSGENJqwC4R434M6pEF68HKp0/2rn7d4wkVIgO1b
> 9hGOGVO74N/dGjSkZjWC+g6Qs7FXWqz5XkNMQFM4v7NXGWfZx6o=
> =GuGh
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> Fish-users mailing list
> Fish-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fish-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fish.tar.gz
Type: application/gzip
Size: 3934 bytes
Desc: not available
URL: <http://lists.slackbuilds.org/pipermail/slackbuilds-users/attachments/20231204/9e66f0ba/attachment.bin>