Fish: User-assisted execution of arbitrary code

Background

Smart and user-friendly command line shell for macOS, Linux, and the rest of the family. It includes features like syntax highlighting, autosuggest-as-you-type, and fancy tab completions that just work, with no configuration required.

Description

A vulnerability have been discovered in Fish. Please review the CVE identifiers referenced below for details.

Impact

A user may be enticed to cd into a git repository under control by an attacker (e.g. on a shared filesystem or by unpacking an archive) and execute arbitrary commands.

Workaround

There is no known workaround at this time.

Resolution

All fish users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=app-shells/fish-3.4.0"