[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: Upcoming security release of fish 2.1.1
From:       David Adam <zanchey () ucc ! gu ! uwa ! edu ! au>
Date:       2014-04-28 15:15:19
Message-ID: alpine.DEB.2.02.1404282304110.7807 () motsugo ! ucc ! gu ! uwa ! edu ! au
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Whoops - missed a spot.

There is also a symlink attack that doesn't depend on a race condition, so we'll
include a patch for that as well.

Could we have an additional CVE-ID assigned, please?

Thanks,

David Adam
fish committer
zanchey@ucc.gu.uwa.edu.au
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJTXnBVAAoJEMC5abKXToiOVksP/Au4UvHIzZX9N9w6L/PTpKyG
+YJ0ddS1LmrRLY1LL2p8JoAj2iZ5gHWZFvm4Anhevl4Hg+CLj5Pet3hhDaebU/Zs
aZC5/TPqUTmKJ2xca/pJhYdArfJBCdYMP8hfgeDUqBiEe3raUCnenzEUXWhNLHhX
WgjTjVQPIKzRf/Ic70mhjM++vurpG+8WbsApvsnEhBLm5o78VulBc5Vgoj7v5M7y
sjKLzyL37YRrHa7D3dRHQodFriBldSSZomyqQwSI07wkofjDIHyusyOzx7DtFg6T
g/7gZsQXoo7QT6w+QtyVPSFzsKixhDsZCUODankYGJu+rPxej/XT497HbYxZHRVk
Sv3st9D6liZ9dHrCuFkSx5pkDIVS6nHMjyqJFPId1koqpL0+ZZWuf4XgZ1uz5Od8
0r8u4ygGD6Yn12uJ6UtmXtO8zasIBvLozL4bvw6I1DvV/WL+Ozi6+enNHI6LZZfh
TgBnSpCYOLUmtUnQ8/+krRdzkfEnkYT++LUK2Han1eDeg2jCOMQfZ10CnJAYcqop
ZlRurABSeNc4DVRIifuq9v+W05EHzuYNTbLrDt/AfUE1y2dx3WCpcZ/iCSV90ikq
iWhxjrl/LeMTGkbKQoNiBzYn5Rg6Q7VVGiGvCBlD1xxBff6Z+dq6QmuUEZrAZyAv
oVq1wmfzihfGuFSHjWOO
=Kblr
-----END PGP SIGNATURE-----

On Mon, 28 Apr 2014, David Adam wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> fish (the friendly interactive shell) is a smart and user-friendly command
> line shell for OS X, Linux, and the rest of the family.
> 
> fish 2.1.1 will be released shortly, correcting two security vulnerabilities
> and reducing the scope of a further security vulnerability.
> 
> fish 2.1.1 will be made available as source and binary packages at
> http://fishshell.com/.
> 
> The following security vulnerabilities have been identified in the fish shell:
> 
> CVE-2014-2905: fish universal variable socket vulnerable to permission bypass
> leading to privilege escalation
> 
>   fish, from at least version 1.16.0 to version 2.1.0 (inclusive), does not
>   check the credentials of processes communicating over the fishd universal
>   variable server UNIX domain socket. This allows a local attacker to elevate
>   their privileges to those of a target user running fish, including root.
> 
>   fish version 2.1.1 is not vulnerable.
> 
>   No workaround is currently available for earlier versions of fish.
> 
>   https://github.com/fish-shell/fish-shell/issues/1436
> 
> CVE-2014-2906: fish temporary file creation vulnerable to race condition
> leading to privilege escalation
> 
>   fish, from at least version 1.16.0 to version 2.1.0 (inclusive), creates
>   temporary files in an insecure manner.
> 
>   Versions 1.23.0 to 2.1.0 (inclusive) execute code from these temporary files,
>   allowing privilege escalation to those of any user running fish, including
>   root.
> 
>   Additionally, from at least version 1.16.0 to version 2.1.0 (inclusive),
>   fish will read data using the psub function from these temporary files,
>   meaning that the input of commands used with the psub function is under the
>   control of the attacker.
> 
>   fish version 2.1.1 is not vulnerable.
> 
>   No workaround is currently available for earlier versions of fish.
> 
>   https://github.com/fish-shell/fish-shell/issues/1437
> 
> CVE-2014-2914: fish web interface does not restrict access leading to remote
> code execution
> 
>   fish, from version 2.0.0 to version 2.1.0 (inclusive), fails to restrict
>   connections to the Web-based configuration service (fish_config). This
>   allows remote attackers to execute arbitrary code in the context of the user
>   running fish_config.
> 
>   The service is generally only running for short periods of time.
> 
>   fish version 2.1.1 restricts incoming connections to localhost only. At this
>   stage, users should avoid running fish_config on systems where there are
>   untrusted local users, as they are still able to connect to the fish_config
>   service and elevate their privileges to those of the user running
>   fish_config.
> 
>   No workaround is currently available for earlier versions of fish, although
>   the use of the fish_config tool is optional as other interfaces to fish
>   configuration are available.
> 
>   https://github.com/fish-shell/fish-shell/issues/1438
> 
> The patches going into 2.1.1 can be retrieved from the Integration_2.1.1 branch
> on Github if you would like to patch your own source or packages without
> updating to 2.1.1:
> https://github.com/fish-shell/fish-shell/tree/Integration_2.1.1
>   10642a34f17ae45bd93be3ae6021ee920d3da0c2
>   8412c867a501e3a68e55fef6215e86d3ac9f617b
>   c0989dce2d882c94eb3183e7b94402ba53534abb
> 
> Although at this stage we won't be issuing a 2.0.1 release, the patches have
> been backported to the 2.0.0 branch for distributions that would prefer not to
> upgrade to the 2.1 series:
> https://github.com/fish-shell/fish-shell/tree/Integration_2.0.1
>   216d32055d99fbae563ad048436830187a8bfceb
>   aea9ad4965d24ef9c4e346f906194820bac70cc9
>   55986120aa2cc8ab0809db8ca1f8116491c1fb14
> 
> David Adam
> fish committer
> zanchey@ucc.gu.uwa.edu.au
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
> 
> iQIcBAEBAgAGBQJTXc/pAAoJEMC5abKXToiOzscP/1o3Vwr7J+WceV9jX7Juzgl8
> aBluWvbtQwNbe6yCjt3X7VqZkSGCq9wkmh0dVgze/owb+nQ/NN1hU3Zt3mxGo8oZ
> QSYudKu9dX4wEI8Nl3fz5xWOWmTf1Z5JJ6y2MrK2JvhTVkNOvGJHHfLlrw/u3yCX
> 63wOMfhg4S8vpZK/XNklsQuhBVTCcuTf27SmTqFGw5p9tQ/VLefBCmZEpEEDMmR6
> tZ9BoEQxcpUBaDooTlzGkLxRGu5oMmSBERXT/qukZOJftIX0NF6RPu40jzZXajlR
> sxmPnq9tRrg8Apx0rZimGjonIrOvVMj23QCz4dDe9p7ut1x83EkPXsUAqJ3f17CM
> +00c6xb6muhWtjbIVkWTB28JwpDitvc9XvRnwWOAsJiC7MHmy0LQo2Uoy97Ld2SF
> bUVsJjv+G/Z+adRV7dAk1jtPex9cY6RBfEkZ1ny8m7Wr4PMWXdaoC1URbAx/Q5vW
> ffF53VREZcW5MeKbLFTb0K06WnX6augm/O2zf5e4Le0dIaSAZLR+hiW/x33i1Jir
> /sfK3A7tz99ZRPDy+UkCILmrRImS91SsLvR4WUXcUMUWzjfYfobjuQxi3TSPYslP
> W0rp7fwHJR+1H4hD3d5X5IU9UefpsNig14QyGtZ+PTZ5gki54HU3DaOecEU3+QIg
> SjrPIoSCLU9p7/+qucse
> =Xi0T
> -----END PGP SIGNATURE-----
> 

Cheers,

David Adam
zanchey@ucc.gu.uwa.edu.au
Ask Me About Our SLA!
[prev in list] [next in list] [prev in thread] [next in thread]