Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: f...@packages.debian.org Control: affects -1 + src:fish
[ Reason ] Cherry-pick upstream fix to CVE-2023-49284 [ Impact ] This is a low severity security issue that affects basically all historical releases of fish. The upstream created new releases (i.e. 3.6.2) solely for fixing this bug. https://github.com/fish-shell/fish-shell/commits/Integration_3.6.2/ So it would be good if we can integrate the fix into stable. [ Tests ] The fix is already included in fish/3.6.4-1 (sid). The rebased patch passed my local sbuild test. I installed the package in a chroot and tested it. [ Risks ] low. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Only one change. Please refer to the patch header for explanation. [ Other info ] diff -Nru fish-3.6.0/debian/changelog fish-3.6.0/debian/changelog --- fish-3.6.0/debian/changelog 2023-05-01 13:01:01.000000000 -0400 +++ fish-3.6.0/debian/changelog 2023-12-21 14:47:56.000000000 -0500 @@ -1,3 +1,9 @@ +fish (3.6.0-3.1+deb12u1) bookworm; urgency=medium + + * Cherry-pick upstream fix for CVE-2023-49284. + + -- Mo Zhou <lu...@debian.org> Thu, 21 Dec 2023 14:47:56 -0500 + fish (3.6.0-3.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru fish-3.6.0/debian/patches/CVE-2023-49284.patch fish-3.6.0/debian/patches/CVE-2023-49284.patch --- fish-3.6.0/debian/patches/CVE-2023-49284.patch 1969-12-31 19:00:00.000000000 -0500 +++ fish-3.6.0/debian/patches/CVE-2023-49284.patch 2023-12-21 14:44:13.000000000 -0500 @@ -0,0 +1,31 @@ +Description: fixes CVE-2023-49284 + The CVE report can be found at + https://github.com/fish-shell/fish-shell/security/advisories/GHSA-2j9r-pm96-wp4f + The corresponding fix can be found at + https://github.com/fish-shell/fish-shell/commit/09986f5563e31e2c900a606438f1d60d008f3a14 + This patch is rebased from the upstream fix. +diff --git a/src/common.cpp b/src/common.cpp +index baee97a..0e76bf1 100644 +--- a/src/common.cpp ++++ b/src/common.cpp +@@ -345,9 +345,7 @@ static wcstring str2wcs_internal(const char *in, const size_t in_len) { + } else { + ret = std::mbrtowc(&wc, &in[in_pos], in_len - in_pos, &state); + // Determine whether to encode this character with our crazy scheme. +- if (wc >= ENCODE_DIRECT_BASE && wc < ENCODE_DIRECT_BASE + 256) { +- use_encode_direct = true; +- } else if (wc == INTERNAL_SEPARATOR) { ++ if (fish_reserved_codepoint(wc)) { + use_encode_direct = true; + } else if (ret == static_cast<size_t>(-2)) { + // Incomplete sequence. +@@ -1323,6 +1321,9 @@ maybe_t<size_t> read_unquoted_escape(const wc + } + + if (result_char_or_none.has_value()) { ++ if (fish_reserved_codepoint(*result_char_or_none)) { ++ return none(); ++ } + result->push_back(*result_char_or_none); + } + diff -Nru fish-3.6.0/debian/patches/series fish-3.6.0/debian/patches --- fish-3.6.0/debian/patches/series 2023-05-01 13:01:01.00000000 +++ fish-3.6.0/debian/patches/series 2023-12-21 14:44:23.00000000 @@ -1,3 +1,4 @@ 0001-reader-make-Escape-during-history-search-restore-com.patch 0002-reader-Remove-assert-in-history-search.patch 0003-workaround-for-Midnight-Commander.patch +CVE-2023-49284.patch
