Date: Mon, 28 Apr 2014 23:15:19 +0800 (WST) From: David Adam <zanchey@....gu.uwa.edu.au> To: oss-security@...ts.openwall.com cc: Bartlomiej Piotrowski <b@...otrowski.pl>, kov@...ian.org, luto@....edu, nemysis@...eBSD.org, ridiculous_fish <corydoras@...iculousfish.com> Subject: Re: Upcoming security release of fish 2.1.1 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Whoops - missed a spot. There is also a symlink attack that doesn't depend on a race condition, so we'll include a patch for that as well. Could we have an additional CVE-ID assigned, please? Thanks, David Adam fish committer zanchey@....gu.uwa.edu.au -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJTXnBVAAoJEMC5abKXToiOVksP/Au4UvHIzZX9N9w6L/PTpKyG +YJ0ddS1LmrRLY1LL2p8JoAj2iZ5gHWZFvm4Anhevl4Hg+CLj5Pet3hhDaebU/Zs aZC5/TPqUTmKJ2xca/pJhYdArfJBCdYMP8hfgeDUqBiEe3raUCnenzEUXWhNLHhX WgjTjVQPIKzRf/Ic70mhjM++vurpG+8WbsApvsnEhBLm5o78VulBc5Vgoj7v5M7y sjKLzyL37YRrHa7D3dRHQodFriBldSSZomyqQwSI07wkofjDIHyusyOzx7DtFg6T g/7gZsQXoo7QT6w+QtyVPSFzsKixhDsZCUODankYGJu+rPxej/XT497HbYxZHRVk Sv3st9D6liZ9dHrCuFkSx5pkDIVS6nHMjyqJFPId1koqpL0+ZZWuf4XgZ1uz5Od8 0r8u4ygGD6Yn12uJ6UtmXtO8zasIBvLozL4bvw6I1DvV/WL+Ozi6+enNHI6LZZfh TgBnSpCYOLUmtUnQ8/+krRdzkfEnkYT++LUK2Han1eDeg2jCOMQfZ10CnJAYcqop ZlRurABSeNc4DVRIifuq9v+W05EHzuYNTbLrDt/AfUE1y2dx3WCpcZ/iCSV90ikq iWhxjrl/LeMTGkbKQoNiBzYn5Rg6Q7VVGiGvCBlD1xxBff6Z+dq6QmuUEZrAZyAv oVq1wmfzihfGuFSHjWOO =Kblr -----END PGP SIGNATURE----- On Mon, 28 Apr 2014, David Adam wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > fish (the friendly interactive shell) is a smart and user-friendly command > line shell for OS X, Linux, and the rest of the family. > > fish 2.1.1 will be released shortly, correcting two security vulnerabilities > and reducing the scope of a further security vulnerability. > > fish 2.1.1 will be made available as source and binary packages at > http://fishshell.com/. > > The following security vulnerabilities have been identified in the fish shell: > > CVE-2014-2905: fish universal variable socket vulnerable to permission bypass > leading to privilege escalation > > fish, from at least version 1.16.0 to version 2.1.0 (inclusive), does not > check the credentials of processes communicating over the fishd universal > variable server UNIX domain socket. This allows a local attacker to elevate > their privileges to those of a target user running fish, including root. > > fish version 2.1.1 is not vulnerable. > > No workaround is currently available for earlier versions of fish. > > https://github.com/fish-shell/fish-shell/issues/1436 > > CVE-2014-2906: fish temporary file creation vulnerable to race condition > leading to privilege escalation > > fish, from at least version 1.16.0 to version 2.1.0 (inclusive), creates > temporary files in an insecure manner. > > Versions 1.23.0 to 2.1.0 (inclusive) execute code from these temporary files, > allowing privilege escalation to those of any user running fish, including > root. > > Additionally, from at least version 1.16.0 to version 2.1.0 (inclusive), > fish will read data using the psub function from these temporary files, > meaning that the input of commands used with the psub function is under the > control of the attacker. > > fish version 2.1.1 is not vulnerable. > > No workaround is currently available for earlier versions of fish. > > https://github.com/fish-shell/fish-shell/issues/1437 > > CVE-2014-2914: fish web interface does not restrict access leading to remote > code execution > > fish, from version 2.0.0 to version 2.1.0 (inclusive), fails to restrict > connections to the Web-based configuration service (fish_config). This > allows remote attackers to execute arbitrary code in the context of the user > running fish_config. > > The service is generally only running for short periods of time. > > fish version 2.1.1 restricts incoming connections to localhost only. At this > stage, users should avoid running fish_config on systems where there are > untrusted local users, as they are still able to connect to the fish_config > service and elevate their privileges to those of the user running > fish_config. > > No workaround is currently available for earlier versions of fish, although > the use of the fish_config tool is optional as other interfaces to fish > configuration are available. > > https://github.com/fish-shell/fish-shell/issues/1438 > > The patches going into 2.1.1 can be retrieved from the Integration_2.1.1 branch > on Github if you would like to patch your own source or packages without > updating to 2.1.1: > https://github.com/fish-shell/fish-shell/tree/Integration_2.1.1 > 10642a34f17ae45bd93be3ae6021ee920d3da0c2 > 8412c867a501e3a68e55fef6215e86d3ac9f617b > c0989dce2d882c94eb3183e7b94402ba53534abb > > Although at this stage we won't be issuing a 2.0.1 release, the patches have > been backported to the 2.0.0 branch for distributions that would prefer not to > upgrade to the 2.1 series: > https://github.com/fish-shell/fish-shell/tree/Integration_2.0.1 > 216d32055d99fbae563ad048436830187a8bfceb > aea9ad4965d24ef9c4e346f906194820bac70cc9 > 55986120aa2cc8ab0809db8ca1f8116491c1fb14 > > David Adam > fish committer > zanchey@....gu.uwa.edu.au > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.12 (GNU/Linux) > > iQIcBAEBAgAGBQJTXc/pAAoJEMC5abKXToiOzscP/1o3Vwr7J+WceV9jX7Juzgl8 > aBluWvbtQwNbe6yCjt3X7VqZkSGCq9wkmh0dVgze/owb+nQ/NN1hU3Zt3mxGo8oZ > QSYudKu9dX4wEI8Nl3fz5xWOWmTf1Z5JJ6y2MrK2JvhTVkNOvGJHHfLlrw/u3yCX > 63wOMfhg4S8vpZK/XNklsQuhBVTCcuTf27SmTqFGw5p9tQ/VLefBCmZEpEEDMmR6 > tZ9BoEQxcpUBaDooTlzGkLxRGu5oMmSBERXT/qukZOJftIX0NF6RPu40jzZXajlR > sxmPnq9tRrg8Apx0rZimGjonIrOvVMj23QCz4dDe9p7ut1x83EkPXsUAqJ3f17CM > +00c6xb6muhWtjbIVkWTB28JwpDitvc9XvRnwWOAsJiC7MHmy0LQo2Uoy97Ld2SF > bUVsJjv+G/Z+adRV7dAk1jtPex9cY6RBfEkZ1ny8m7Wr4PMWXdaoC1URbAx/Q5vW > ffF53VREZcW5MeKbLFTb0K06WnX6augm/O2zf5e4Le0dIaSAZLR+hiW/x33i1Jir > /sfK3A7tz99ZRPDy+UkCILmrRImS91SsLvR4WUXcUMUWzjfYfobjuQxi3TSPYslP > W0rp7fwHJR+1H4hD3d5X5IU9UefpsNig14QyGtZ+PTZ5gki54HU3DaOecEU3+QIg > SjrPIoSCLU9p7/+qucse > =Xi0T > -----END PGP SIGNATURE----- > Cheers, David Adam zanchey@....gu.uwa.edu.au Ask Me About Our SLA!
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ