Lucene search

Gentoo FoundationMGASA-2023-0344

HistoryDec 13, 2023 - 12:19 a.m.

Updated fish packages fix a security vulnerability

2023-12-1300:19:08

Gentoo Foundation

advisories.mageia.org

mageia 9

version 3.6.4

cve-2023-49284

fish shell

unicode non-characters

wildcards

command substitution

unix

CVSS3

6.6

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H

AI Score

7.2

Confidence

Low

EPSS

Percentile

9.8%

JSON

Mageia 9 is updated to version 3.6.4 to fix CVE-2023-49284. Mageia 8 receives an upstream patch to fix CVE-2023-49284. CVE-2023-49284: fish shell uses certain Unicode non-characters internally for marking wildcards and expansions. It will incorrectly allow these markers to be read on command substitution output, rather than transforming them into a safe internal representation.

OSVersionArchitecturePackageVersionFilename
Mageia8noarchfish< 3.4.1-1.1fish-3.4.1-1.1.mga8
Mageia9noarchfish< 3.6.4-1fish-3.6.4-1.mga9

OS	Version	Architecture	Package	Version	Filename
Mageia	8	noarch	fish	< 3.4.1-1.1	fish-3.4.1-1.1.mga8
Mageia	9	noarch	fish	< 3.6.4-1	fish-3.6.4-1.mga9

References

bugs.mageia.org/show_bug.cgi?id=32614

CVSS3

6.6

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H

AI Score

7.2

Confidence

Low

EPSS

Percentile

9.8%

JSON

Related for MGASA-2023-0344