Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Both __fish_print_packages and (in master, not in any releases) start_fishd access temporary files in /tmp blindly, allowing a symlink attack.
__fish_print_packages
start_fishd
/tmp
This is somewhat defended against by the sysctl fs.protected_symlinks in newer releases of Linux, thankfully.
fs.protected_symlinks
CVE-ID is CVE-2014-3219.
The text was updated successfully, but these errors were encountered:
Yikes, start_fishd() is vulnerable in 2.1.0 and 2.0.0.
start_fishd()
Sorry, something went wrong.
3225d7e
avoid symlink attacks in __fish_print_packages
9c78295
* use $XDG_CACHE_HOME for __fish_print_packages completion caches Fix for CVE-2014-3219. Closes #1440.
zanchey
No branches or pull requests
Both
__fish_print_packagesand (in master, not in any releases)start_fishdaccess temporary files in/tmpblindly, allowing a symlink attack.This is somewhat defended against by the sysctl
fs.protected_symlinksin newer releases of Linux, thankfully.CVE-ID is CVE-2014-3219.
The text was updated successfully, but these errors were encountered: