Bug 263506

Summary: shells/fish: Update to 3.4.1
Product: Ports & Packages Reporter: Bjorn Neergaard <bjorn>
Component: Individual Port(s)Assignee: Alan Somers <asomers>
Status: Closed FIXED    
Severity: Affects Many People CC: bjorn, grahamperrin, mikael, ports-secteam
Priority: Normal Flags: asomers: maintainer-feedback+
Version: Latest   
Hardware: Any   
OS: Any   
URL: https://www.freshports.org/shells/fish/
See Also: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=269066
https://github.com/fish-shell/fish-shell/pull/8589
Attachments:
Description Flags
git format-patch none

Description Bjorn Neergaard 2022-04-24 04:19:44 UTC 
Created attachment 233429 [details]
git format-patch
Comment 1 Alan Somers freebsd_committer freebsd_triage 2022-05-05 04:13:41 UTC 
Works for me, and passes Poudriere.
Comment 2 Mikael Urankar freebsd_committer freebsd_triage 2022-05-05 05:07:58 UTC 
Remove portrevision before committing
Approved by : mikael
Comment 3 Bjorn Neergaard 2022-05-05 06:45:15 UTC 
(In reply to Mikael Urankar from comment #2)
Ah, looks like I'm too used to Arch's PKGREL which is 1, not 0, as a base value.
Comment 4 commit-hook freebsd_committer freebsd_triage 2022-05-05 13:08:25 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=e7aa222dd79c6a83ec9632f79a363bb3193a054c

commit e7aa222dd79c6a83ec9632f79a363bb3193a054c
Author:     Alan Somers <asomers@FreeBSD.org>
AuthorDate: 2022-05-05 13:05:44 +0000
Commit:     Alan Somers <asomers@FreeBSD.org>
CommitDate: 2022-05-05 13:05:44 +0000

    shells/fish: Update to 3.4.1

    PR:             263506
    Submitted by:   Bjorn Neergaard <bjorn@neersighted.com>
    Approved by:    mikael <ports>

 shells/fish/Makefile  |  3 +-
 shells/fish/distinfo  |  6 ++--
 shells/fish/pkg-plist | 99 ++++++++++++++++++++++++++++++++++++++++++++++++---
 3 files changed, 98 insertions(+), 10 deletions(-)
Comment 5 Graham Perrin freebsd_committer freebsd_triage 2023-01-21 18:39:35 UTC 
Hi

e7aa222dd79c6a83ec9632f79a363bb3193a054c was for 3.3.1_1 to 3.4.1. 

<https://www.freshports.org/vuxml.php?package=fish> lacks a VuXML entry for CVE-2022-20001. 

<https://github.com/fish-shell/fish-shell/releases/tag/3.4.0>
<https://fishshell.com/docs/current/relnotes.html#fish-3-4-0-released-march-12-2022>
Comment 6 Alan Somers freebsd_committer freebsd_triage 2023-01-21 19:11:40 UTC 
grahamperrin thanks for pointing that out.  I've never created a vuxml entry before.  Is there a newcomer's guide for that?
Comment 7 Graham Perrin freebsd_committer freebsd_triage 2023-01-21 20:57:34 UTC 
(In reply to Alan Somers from comment #6)

I'm not a porter, I guess that <https://docs.freebsd.org/en/books/porters-handbook/book/#security-notify-vuxml-db> is as good a place as any. Thanks!
Comment 8 Alan Somers freebsd_committer freebsd_triage 2023-01-21 22:43:45 UTC 
Fixed in 15a0ee651699dc551e4e41d3976e68ba1c9e90a9 grahamperrin.  Thanks for bringing it to my attention.
Comment 9 commit-hook freebsd_committer freebsd_triage 2023-01-21 22:43:59 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=15a0ee651699dc551e4e41d3976e68ba1c9e90a9

commit 15a0ee651699dc551e4e41d3976e68ba1c9e90a9
Author:     Alan Somers <asomers@FreeBSD.org>
AuthorDate: 2023-01-21 22:30:29 +0000
Commit:     Alan Somers <asomers@FreeBSD.org>
CommitDate: 2023-01-21 22:42:45 +0000

    security/vuxml: register shells/fish vulnerability

    Arbitrary code execution if the attacker can convince the user to cd to
    a directory the attacker controls.

    CVE-2022-20001

    PR: 263506

 security/vuxml/vuln/2023.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)