{"id":"MGASA-2014-0404","summary":"Updated fish package fixes multiple security vulnerabilities","details":"Updated fish packages fix security vulnerability:\n\nfish, from at least version 1.16.0 to version 2.1.0 (inclusive), does not\ncheck the credentials of processes communicating over the fishd universal\nvariable server UNIX domain socket. This allows a local attacker to \nelevate their privileges to those of a target user running fish, including \nroot (CVE-2014-2905).\n\nfish, from at least version 1.16.0 to version 2.1.0 (inclusive), creates\ntemporary files in an insecure manner.\n\nVersions 1.23.0 to 2.1.0 (inclusive) execute code via `funced` from these\ntemporary files, allowing privilege escalation to those of any user \nrunning fish, including root (CVE-2014-3856).\n\nAdditionally, from at least version 1.16.0 to version 2.1.0 (inclusive),\nfish will read data using the psub function from these temporary files,\nmeaning that the input of commands used with the psub function is under \nthe control of the attacker (CVE-2014-2906).\n\nfish, from version 2.0.0 to version 2.1.0 (inclusive), fails to restrict\nconnections to the Web-based configuration service (fish_config). This\nallows remote attackers to execute arbitrary code in the context of the \nuser running fish_config (CVE-2014-2914).\n\nThe service is generally only running for short periods of time. The use of\nthe fish_config tool is optional as other interfaces to fish configuration\nare available.\n\nThe fish package has been updated to version 2.1.1 to fix these issues.\n","modified":"2026-04-16T06:23:53.375379526Z","published":"2014-10-09T14:06:16Z","upstream":["CVE-2014-2905","CVE-2014-2906","CVE-2014-2914","CVE-2014-3856"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2014-0404.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=13984"},{"type":"WEB","url":"http://openwall.com/lists/oss-security/2014/09/28/8"},{"type":"WEB","url":"http://fishshell.com/release_notes.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/pipermail/package-announce/2014-May/132618.html"}],"affected":[{"package":{"name":"fish","ecosystem":"Mageia:4","purl":"pkg:rpm/mageia/fish?arch=source&distro=mageia-4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.1.1-1.mga4"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2014-0404.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}