263506 – shells/fish: Update to 3.4.1

Bug 263506 - shells/fish: Update to 3.4.1

Summary: shells/fish: Update to 3.4.1

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	Normal Affects Many People
Assignee:	Alan Somers

URL:	https://www.freshports.org/shells/fish/
Keywords:

Depends on:
Blocks:

Reported:	2022-04-24 04:19 UTC by Bjorn Neergaard
Modified:	2023-01-21 22:43 UTC (History)
CC List:	4 users (show)

See Also:	269066 https://github.com/fish-shell/fish-shell/pull/8589

Flags:	asomers: maintainer-feedback+

Attachments
git format-patch (19.25 KB, application/mbox) 2022-04-24 04:19 UTC, Bjorn Neergaard	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Bjorn Neergaard 2022-04-24 04:19:44 UTC

Created attachment 233429 [details]
git format-patch

Comment 1 Alan Somers freebsd_committer

2022-05-05 04:13:41 UTC

Works for me, and passes Poudriere.

Comment 2 Mikael Urankar freebsd_committer

2022-05-05 05:07:58 UTC

Remove portrevision before committing
Approved by : mikael

Comment 3 Bjorn Neergaard 2022-05-05 06:45:15 UTC

(In reply to Mikael Urankar from comment #2)
Ah, looks like I'm too used to Arch's PKGREL which is 1, not 0, as a base value.

Comment 4 commit-hook freebsd_committer

2022-05-05 13:08:25 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=e7aa222dd79c6a83ec9632f79a363bb3193a054c

commit e7aa222dd79c6a83ec9632f79a363bb3193a054c
Author:     Alan Somers <asomers@FreeBSD.org>
AuthorDate: 2022-05-05 13:05:44 +0000
Commit:     Alan Somers <asomers@FreeBSD.org>
CommitDate: 2022-05-05 13:05:44 +0000

    shells/fish: Update to 3.4.1

    PR:             263506
    Submitted by:   Bjorn Neergaard <bjorn@neersighted.com>
    Approved by:    mikael <ports>

 shells/fish/Makefile  |  3 +-
 shells/fish/distinfo  |  6 ++--
 shells/fish/pkg-plist | 99 ++++++++++++++++++++++++++++++++++++++++++++++++---
 3 files changed, 98 insertions(+), 10 deletions(-)

Comment 5 Graham Perrin freebsd_committer

2023-01-21 18:39:35 UTC

Hi

e7aa222dd79c6a83ec9632f79a363bb3193a054c was for 3.3.1_1 to 3.4.1. 

<https://www.freshports.org/vuxml.php?package=fish> lacks a VuXML entry for CVE-2022-20001. 

<https://github.com/fish-shell/fish-shell/releases/tag/3.4.0>
<https://fishshell.com/docs/current/relnotes.html#fish-3-4-0-released-march-12-2022>

Comment 6 Alan Somers freebsd_committer

2023-01-21 19:11:40 UTC

grahamperrin thanks for pointing that out.  I've never created a vuxml entry before.  Is there a newcomer's guide for that?

Comment 7 Graham Perrin freebsd_committer

2023-01-21 20:57:34 UTC

(In reply to Alan Somers from comment #6)

I'm not a porter, I guess that <https://docs.freebsd.org/en/books/porters-handbook/book/#security-notify-vuxml-db> is as good a place as any. Thanks!

Comment 8 Alan Somers freebsd_committer

2023-01-21 22:43:45 UTC

Fixed in 15a0ee651699dc551e4e41d3976e68ba1c9e90a9 grahamperrin.  Thanks for bringing it to my attention.

Comment 9 commit-hook freebsd_committer

2023-01-21 22:43:59 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=15a0ee651699dc551e4e41d3976e68ba1c9e90a9

commit 15a0ee651699dc551e4e41d3976e68ba1c9e90a9
Author:     Alan Somers <asomers@FreeBSD.org>
AuthorDate: 2023-01-21 22:30:29 +0000
Commit:     Alan Somers <asomers@FreeBSD.org>
CommitDate: 2023-01-21 22:42:45 +0000

    security/vuxml: register shells/fish vulnerability

    Arbitrary code execution if the attacker can convince the user to cd to
    a directory the attacker controls.

    CVE-2022-20001

    PR: 263506

 security/vuxml/vuln/2023.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)