Bug 1197139 - (CVE-2022-20001) VUL-0: CVE-2022-20001: fish: Navigating to a compromised git repository may lead to arbitrary code execution
(CVE-2022-20001)
VUL-0: CVE-2022-20001: fish: Navigating to a compromised git repository may l...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/326154/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-03-15 14:12 UTC by Thomas Leroy
Modified: 2022-03-31 13:23 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2022-03-15 14:12:09 UTC
CVE-2022-20001

fish is a command line shell. fish version 3.1.0 through version 3.3.1 is
vulnerable to arbitrary code execution. git repositories can contain
per-repository configuration that change the behavior of git, including running
arbitrary commands. When using the default configuration of fish, changing to a
directory automatically runs `git` commands in order to display information
about the current repository in the prompt. If an attacker can convince a user
to change their current directory into one controlled by the attacker, such as
on a shared file system or extracted archive, fish will run arbitrary commands
under the attacker's control. This problem has been fixed in fish 3.4.0. Note
that running git in these directories, including using the git tab completion,
remains a potential trigger for this issue. As a workaround, remove the
`fish_git_prompt` function from the prompt.

Upstream fix commit:
https://github.com/fish-shell/fish-shell/pull/8589/commits/ac9218b4bd882b8d889b618a6c690ff0e67fab0b

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-20001
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20001
https://github.com/fish-shell/fish-shell/pull/8589
https://github.com/fish-shell/fish-shell/security/advisories/GHSA-pj5f-6vxj-f5mq
https://github.com/fish-shell/fish-shell/releases/tag/3.4.0
Comment 1 Thomas Leroy 2022-03-15 14:19:00 UTC
Only the followings are affected:
- openSUSE:Backports:SLE-15-SP4
- openSUSE:Factory
Comment 2 Simon Lees 2022-03-15 22:47:53 UTC
(In reply to Thomas Leroy from comment #1)
> Only the followings are affected:
> - openSUSE:Backports:SLE-15-SP4
> - openSUSE:Factory

https://build.opensuse.org/package/show/openSUSE:Leap:15.2:Update/fish3 is also affected which means that Leap 15.3 is probably also affected
Comment 3 Petr Gajdos 2022-03-16 06:43:19 UTC
Request into devel project:
https://build.opensuse.org/request/show/962059
Comment 4 Petr Gajdos 2022-03-16 07:29:00 UTC
Submitted into B15sp4/fish and B15sp3/fish3.

I believe all fixed.
Comment 5 Thomas Leroy 2022-03-16 07:54:13 UTC
(In reply to Simon Lees from comment #2)
> https://build.opensuse.org/package/show/openSUSE:Leap:15.2:Update/fish3 is
> also affected which means that Leap 15.3 is probably also affected

You're right, my apologies.

(In reply to Petr Gajdos from comment #4)
> I believe all fixed.

Thanks Petr!
Comment 6 OBSbugzilla Bot 2022-03-16 08:40:03 UTC
This is an autogenerated message for OBS integration:
This bug (1197139) was mentioned in
https://build.opensuse.org/request/show/962062 Backports:SLE-15-SP4 / fish
https://build.opensuse.org/request/show/962079 Backports:SLE-15-SP3 / fish3
Comment 7 Simon Lees 2022-03-16 11:08:20 UTC
(In reply to Petr Gajdos from comment #3)
> Request into devel project:
> https://build.opensuse.org/request/show/962059

Accepted and on its way to factory, thanks for the quick work on the submissions
Comment 8 Gianluca Gabrielli 2022-03-21 10:47:39 UTC
thank you all, closing.
Comment 9 Swamp Workflow Management 2022-03-31 13:23:39 UTC
openSUSE-SU-2022:0096-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1197139
CVE References: CVE-2022-20001
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP3 (src):    fish3-3.3.1-bp153.2.10.1