Bugzilla – Bug 1197139
VUL-0: CVE-2022-20001: fish: Navigating to a compromised git repository may lead to arbitrary code execution
Last modified: 2022-03-31 13:23:39 UTC
fish is a command line shell. fish version 3.1.0 through version 3.3.1 is
vulnerable to arbitrary code execution. git repositories can contain
per-repository configuration that change the behavior of git, including running
arbitrary commands. When using the default configuration of fish, changing to a
directory automatically runs `git` commands in order to display information
about the current repository in the prompt. If an attacker can convince a user
to change their current directory into one controlled by the attacker, such as
on a shared file system or extracted archive, fish will run arbitrary commands
under the attacker's control. This problem has been fixed in fish 3.4.0. Note
that running git in these directories, including using the git tab completion,
remains a potential trigger for this issue. As a workaround, remove the
`fish_git_prompt` function from the prompt.
Upstream fix commit:
Only the followings are affected:
(In reply to Thomas Leroy from comment #1)
> Only the followings are affected:
> - openSUSE:Backports:SLE-15-SP4
> - openSUSE:Factory
https://build.opensuse.org/package/show/openSUSE:Leap:15.2:Update/fish3 is also affected which means that Leap 15.3 is probably also affected
Request into devel project:
Submitted into B15sp4/fish and B15sp3/fish3.
I believe all fixed.
(In reply to Simon Lees from comment #2)
> https://build.opensuse.org/package/show/openSUSE:Leap:15.2:Update/fish3 is
> also affected which means that Leap 15.3 is probably also affected
You're right, my apologies.
(In reply to Petr Gajdos from comment #4)
> I believe all fixed.
This is an autogenerated message for OBS integration:
This bug (1197139) was mentioned in
https://build.opensuse.org/request/show/962062 Backports:SLE-15-SP4 / fish
https://build.opensuse.org/request/show/962079 Backports:SLE-15-SP3 / fish3
(In reply to Petr Gajdos from comment #3)
> Request into devel project:
Accepted and on its way to factory, thanks for the quick work on the submissions
thank you all, closing.
openSUSE-SU-2022:0096-1: An update that fixes one vulnerability is now available.
Category: security (important)
Bug References: 1197139
CVE References: CVE-2022-20001
openSUSE Backports SLE-15-SP3 (src): fish3-3.3.1-bp188.8.131.52