| Origin: commit c187154f47697cdbf822c2f9d714d570ed4a0fd1 |
| From: Oliver Kiddle <opk@zsh.org> |
| Date: Wed, 15 Dec 2021 01:56:40 +0100 |
| Subject: [PATCH 1/9] security/41: Don't perform PROMPT_SUBST evaluation on |
| %F/%K arguments |
| |
| Mitigates CVE-2021-45444 |
| |
| https://salsa.debian.org/debian/zsh/-/raw/debian/5.8-6+deb11u1/debian/patches/cherry-pick-CVE-2021-45444_1.patch?inline=false |
| Upstream-Status: Backport |
| CVE: CVE-2021-45444 |
| Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> |
| --- |
| ChangeLog | 5 +++++ |
| Src/prompt.c | 10 ++++++++++ |
| 2 files changed, 15 insertions(+) |
| |
| diff --git a/ChangeLog b/ChangeLog |
| index 8d7dfc169..eb248ec06 100644 |
| --- a/ChangeLog |
| +++ b/ChangeLog |
| @@ -1,3 +1,8 @@ |
| +2022-01-27 dana <dana@dana.is> |
| + |
| + * Oliver Kiddle: security/41: Src/prompt.c: Prevent recursive |
| + PROMPT_SUBST |
| + |
| 2020-02-14 dana <dana@dana.is> |
| |
| * unposted: Config/version.mk: Update for 5.8 |
| diff --git a/Src/prompt.c b/Src/prompt.c |
| index b65bfb86b..91e21c8e9 100644 |
| --- a/Src/prompt.c |
| +++ b/Src/prompt.c |
| @@ -244,6 +244,12 @@ parsecolorchar(zattr arg, int is_fg) |
| bv->fm += 2; /* skip over F{ */ |
| if ((ep = strchr(bv->fm, '}'))) { |
| char oc = *ep, *col, *coll; |
| + int ops = opts[PROMPTSUBST], opb = opts[PROMPTBANG]; |
| + int opp = opts[PROMPTPERCENT]; |
| + |
| + opts[PROMPTPERCENT] = 1; |
| + opts[PROMPTSUBST] = opts[PROMPTBANG] = 0; |
| + |
| *ep = '\0'; |
| /* expand the contents of the argument so you can use |
| * %v for example */ |
| @@ -252,6 +258,10 @@ parsecolorchar(zattr arg, int is_fg) |
| arg = match_colour((const char **)&coll, is_fg, 0); |
| free(col); |
| bv->fm = ep; |
| + |
| + opts[PROMPTSUBST] = ops; |
| + opts[PROMPTBANG] = opb; |
| + opts[PROMPTPERCENT] = opp; |
| } else { |
| arg = match_colour((const char **)&bv->fm, is_fg, 0); |
| if (*bv->fm != '}') |
| -- |
| 2.34.1 |