diff --git a/CVE-2022-20001.patch b/CVE-2022-20001.patch new file mode 100644 index 0000000..e37be97 --- /dev/null +++ b/CVE-2022-20001.patch @@ -0,0 +1,71 @@ +From 37625053d424c1ab88de2b0c50c7fe71e1468e2c Mon Sep 17 00:00:00 2001 +From: ridiculousfish +Date: Sun, 26 Dec 2021 17:25:20 -0800 +Subject: [PATCH] fish_git_prompt: be careful about git config + +fish_git_prompt may run certain git commands which may invoke certain +external programs as specified `.git/config`. Prevent this by suppressing +certain git config options. +--- + share/functions/fish_git_prompt.fish | 8 ++++---- + tests/checks/git.fish | 15 +++++++++++++++ + 2 files changed, 19 insertions(+), 4 deletions(-) + +diff --git a/share/functions/fish_git_prompt.fish b/share/functions/fish_git_prompt.fish +index 6457e114b60..9920430b9ab 100644 +--- a/share/functions/fish_git_prompt.fish ++++ b/share/functions/fish_git_prompt.fish +@@ -345,18 +345,18 @@ function __fish_git_prompt_staged --description "fish_git_prompt helper, tells w + # The "diff" functions all return > 0 if there _is_ a diff, + # but we want to return 0 if there are staged changes. + # So we invert the status. +- not command git diff-index --cached --quiet HEAD -- 2>/dev/null ++ not command git -c core.fsmonitor= diff-index --cached --quiet HEAD -- 2>/dev/null + and echo 1 + end + + function __fish_git_prompt_untracked --description "fish_git_prompt helper, tells whether or not the current repository has untracked files" +- command git ls-files --others --exclude-standard --directory --no-empty-directory --error-unmatch -- :/ >/dev/null 2>&1 ++ command git -c core.fsmonitor= ls-files --others --exclude-standard --directory --no-empty-directory --error-unmatch -- :/ >/dev/null 2>&1 + and echo 1 + end + + function __fish_git_prompt_dirty --description "fish_git_prompt helper, tells whether or not the current branch has tracked, modified files" + # Like staged, invert the status because we want 0 to mean there are dirty files. +- not command git diff --no-ext-diff --quiet --exit-code 2>/dev/null ++ not command git -c core.fsmonitor= diff --no-ext-diff --quiet --exit-code 2>/dev/null + and echo 1 + end + +@@ -372,7 +372,7 @@ function __fish_git_prompt_informative_status + # It's quite a bit faster and unlikely anyone cares about the number of files if it's *all* of the files + # in that directory. + # The v2 format is better, but we don't actually care in this case. +- set -l stats (string sub -l 2 (git status --porcelain -z -unormal | string split0)) ++ set -l stats (string sub -l 2 (git -c core.fsmonitor= status --porcelain -z -unormal | string split0)) + set -l invalidstate (string match -r '^UU' $stats | count) + set -l stagedstate (string match -r '^[ACDMR].' $stats | count) + set -l dirtystate (string match -r '^.[ACDMR]' $stats | count) +diff --git a/tests/checks/git.fish b/tests/checks/git.fish +index 6f1cafd8c25..a96bc8baccd 100644 +--- a/tests/checks/git.fish ++++ b/tests/checks/git.fish +@@ -80,3 +80,18 @@ set -g __fish_git_prompt_status_order untrackedfiles + fish_git_prompt + echo + #CHECK: (newbranch %) ++ ++# Turn on everything and verify we correctly ignore sus config files. ++set -g __fish_git_prompt_status_order stagedstate invalidstate dirtystate untrackedfiles stashstate ++set -g __fish_git_prompt_showdirtystate 1 ++set -g __fish_git_prompt_show_informative_status 1 ++set -g __fish_git_prompt_showuntrackedfiles 1 ++rm -Rf .git * ++git init >/dev/null 2>&1 ++echo -n > ran.txt ++git config core.fsmonitor 'echo fsmonitor >> ran.txt; false' ++git config core.sshCommand 'echo sshCommand >> ran.txt; false' ++git config diff.external 'echo diff >> ran.txt; false' ++touch untracked_file ++fish_git_prompt > /dev/null ++cat ran.txt # should output nothing diff --git a/fish.spec b/fish.spec index 5939a57..bb43168 100644 --- a/fish.spec +++ b/fish.spec @@ -1,10 +1,14 @@ Name: fish Version: 3.3.1 -Release: 1 +Release: 2 Summary: Friendly interactive shell License: GPLv2 and BSD and ISC and LGPLv2+ and MIT URL: https://fishshell.com Source0: https://github.com/fish-shell/fish-shell/releases/download/%{version}/%{name}-%{version}.tar.xz +# https://github.com/fish-shell/fish-shell/commit/ec8844d834cc9fe626e9fc326c6f5410341d532a +Patch01: fix-test-failure.patch +# https://github.com/fish-shell/fish-shell/commit/37625053d424c1ab88de2b0c50c7fe71e1468e2c +Patch02: CVE-2022-20001.patch BuildRequires: cmake >= 3.2 BuildRequires: ninja-build @@ -97,5 +101,9 @@ fi %{_datadir}/pixmaps/fish.png %changelog +* Mon May 16 2022 yaoxin - 3.3.1-2 +- Fix CVE-2022-20001 +- Fix test failure + * Mon July 12 2021 wulei - 3.3.1-1 - Package init diff --git a/fix-test-failure.patch b/fix-test-failure.patch new file mode 100644 index 0000000..1b19a27 --- /dev/null +++ b/fix-test-failure.patch @@ -0,0 +1,25 @@ +From bfe373299fc9a13f3fb05d6bc68c63e79d62dfa0 Mon Sep 17 00:00:00 2001 +From: Fabian Homborg +Date: Thu, 14 Oct 2021 18:18:51 +0200 +Subject: [PATCH] Drop tests with resetting match start inside lookaround + +--- + src/fish_tests.cpp | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/src/fish_tests.cpp b/src/fish_tests.cpp +index 2b46986..f1f4865 100644 +--- a/src/fish_tests.cpp ++++ b/src/fish_tests.cpp +@@ -5723,8 +5723,6 @@ static void test_string() { + {{L"string", L"match", L"-r", L"-a", L"a*", L"b", 0}, STATUS_CMD_OK, L"\n\n"}, + {{L"string", L"match", L"-r", L"foo\\Kbar", L"foobar", 0}, STATUS_CMD_OK, L"bar\n"}, + {{L"string", L"match", L"-r", L"(foo)\\Kbar", L"foobar", 0}, STATUS_CMD_OK, L"bar\nfoo\n"}, +- {{L"string", L"match", L"-r", L"(?=ab\\K)", L"ab", 0}, STATUS_CMD_OK, L"\n"}, +- {{L"string", L"match", L"-r", L"(?=ab\\K)..(?=cd\\K)", L"abcd", 0}, STATUS_CMD_OK, L"\n"}, + + {{L"string", L"replace", 0}, STATUS_INVALID_ARGS, L""}, + {{L"string", L"replace", L"", 0}, STATUS_INVALID_ARGS, L""}, +-- +2.23.0 +