fish-3.4.0-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11936 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z fish-3.4.0-1.1 on GA media These are all security issues fixed in the fish-3.4.0-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11936 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:11936 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2022-20001/ SUSE CVE CVE-2022-20001 page openSUSE Tumbleweed fish-3.4.0-1.1 fish-devel-3.4.0-1.1 fish-3.4.0-1.1 as a component of openSUSE Tumbleweed fish-devel-3.4.0-1.1 as a component of openSUSE Tumbleweed fish is a command line shell. fish version 3.1.0 through version 3.3.1 is vulnerable to arbitrary code execution. git repositories can contain per-repository configuration that change the behavior of git, including running arbitrary commands. When using the default configuration of fish, changing to a directory automatically runs `git` commands in order to display information about the current repository in the prompt. If an attacker can convince a user to change their current directory into one controlled by the attacker, such as on a shared file system or extracted archive, fish will run arbitrary commands under the attacker's control. This problem has been fixed in fish 3.4.0. Note that running git in these directories, including using the git tab completion, remains a potential trigger for this issue. As a workaround, remove the `fish_git_prompt` function from the prompt. CVE-2022-20001 openSUSE Tumbleweed:fish-3.4.0-1.1 openSUSE Tumbleweed:fish-devel-3.4.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-20001.html CVE-2022-20001 https://bugzilla.suse.com/1197139 SUSE Bug 1197139