packages/fish
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!24 fix CVE-2023-49284

Browse Source 
From: @paultohmas 
Reviewed-by: @lyn1001 
Signed-off-by: @lyn1001
This commit is contained in:
openeuler-ci-bot 2023-12-06 08:51:56 +00:00 committed by Gitee
commit 9ae9fe463d
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 60 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
backport-CVE-2023-49284.patch Normal file
View File

@ -0,0 +1,54 @@
From 09986f5563e31e2c900a606438f1d60d008f3a14 Mon Sep 17 00:00:00 2001
From: Fabian Boehm <FHomborg@gmail.com>
Date: Sat, 2 Dec 2023 11:06:07 +0100
Subject: [PATCH] Encode all ENCODE_DIRECT codepoints with encode_direct
---
src/common.cpp | 7 ++++---
tests/checks/basic.fish | 8 ++++++++
2 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/src/common.cpp b/src/common.cpp
index a1cc7c63c62..370ecacd5f0 100644
--- a/src/common.cpp
+++ b/src/common.cpp
@@ -335,9 +335,7 @@ static wcstring str2wcs_internal(const char *in, const size_t in_len) {
} else {
ret = std::mbrtowc(&wc, &in[in_pos], in_len - in_pos, &state);
// Determine whether to encode this character with our crazy scheme.
- if (wc >= ENCODE_DIRECT_BASE && wc < ENCODE_DIRECT_BASE + 256) {
- use_encode_direct = true;
- } else if (wc == INTERNAL_SEPARATOR) {
+ if (fish_reserved_codepoint(wc)) {
use_encode_direct = true;
} else if (ret == static_cast<size_t>(-2)) {
// Incomplete sequence.
@@ -1313,6 +1311,9 @@ maybe_t<size_t> read_unquoted_escape(const wchar_t *input, wcstring *result, boo
}
if (result_char_or_none.has_value()) {
+ if (fish_reserved_codepoint(*result_char_or_none)) {
+ return none();
+ }
result->push_back(*result_char_or_none);
}
diff --git a/tests/checks/basic.fish b/tests/checks/basic.fish
index 60a4e18a21f..314b78cc0fb 100644
--- a/tests/checks/basic.fish
+++ b/tests/checks/basic.fish
@@ -587,6 +587,14 @@ $fish -c 'echo \x'
# CHECKERR: echo \x
# CHECKERR: ^^
+$fish -c 'echo \ufdd2"fart"'
+# CHECKERR: fish: Invalid token '\ufdd2"fart"'
+# CHECKERR: echo \ufdd2"fart"
+# CHECKERR: ^~~~~~~~~~~^
+
+echo (sh -c 'printf $\'\ufdd2foo\'') | string escape
+# CHECK: \Xef\Xb7\X92foo
+
printf '%s\n' "#!/bin/sh" 'echo $0' > $tmpdir/argv0.sh
chmod +x $tmpdir/argv0.sh
cd $tmpdir

7
fish.spec
View File

@ -1,10 +1,12 @@
Name: fish Name: fish
Version: 3.6.1 Version: 3.6.1
Release: 1 Release: 2
Summary: Friendly interactive shell Summary: Friendly interactive shell
License: GPLv2 and BSD and ISC and LGPLv2+ and MIT License: GPLv2 and BSD and ISC and LGPLv2+ and MIT
URL: https://fishshell.com URL: https://fishshell.com
Source0: https://github.com/fish-shell/fish-shell/releases/download/%{version}/%{name}-%{version}.tar.xz Source0: https://github.com/fish-shell/fish-shell/releases/download/%{version}/%{name}-%{version}.tar.xz
# https://github.com/fish-shell/fish-shell/commit/09986f5563e31e2c900a606438f1d60d008f3a14
Patch0: backport-CVE-2023-49284.patch
BuildRequires: cmake >= 3.5 BuildRequires: cmake >= 3.5
BuildRequires: ninja-build BuildRequires: ninja-build
@ -97,6 +99,9 @@ fi
%{_datadir}/pixmaps/fish.png %{_datadir}/pixmaps/fish.png
%changelog %changelog
* Wed Dec 06 2023 lwg <relpeace@yeah.net> - 3.6.1-2
- fix CVE-2023-49284
* Fri Aug 25 2023 yaoxin <yao_xin001@hoperun.com> - 3.6.1-1 * Fri Aug 25 2023 yaoxin <yao_xin001@hoperun.com> - 3.6.1-1
- Update to 3.6.1 - Update to 3.6.1