Andrew Geissler | c5535c9 | 2023-01-27 16:10:19 -0600 | [diff] [blame^] | 1 | Origin: commit c187154f47697cdbf822c2f9d714d570ed4a0fd1 |
| 2 | From: Oliver Kiddle <opk@zsh.org> |
| 3 | Date: Wed, 15 Dec 2021 01:56:40 +0100 |
| 4 | Subject: [PATCH 1/9] security/41: Don't perform PROMPT_SUBST evaluation on |
| 5 | %F/%K arguments |
| 6 | |
| 7 | Mitigates CVE-2021-45444 |
| 8 | |
| 9 | https://salsa.debian.org/debian/zsh/-/raw/debian/5.8-6+deb11u1/debian/patches/cherry-pick-CVE-2021-45444_1.patch?inline=false |
| 10 | Upstream-Status: Backport |
| 11 | CVE: CVE-2021-45444 |
| 12 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> |
| 13 | --- |
| 14 | ChangeLog | 5 +++++ |
| 15 | Src/prompt.c | 10 ++++++++++ |
| 16 | 2 files changed, 15 insertions(+) |
| 17 | |
| 18 | diff --git a/ChangeLog b/ChangeLog |
| 19 | index 8d7dfc169..eb248ec06 100644 |
| 20 | --- a/ChangeLog |
| 21 | +++ b/ChangeLog |
| 22 | @@ -1,3 +1,8 @@ |
| 23 | +2022-01-27 dana <dana@dana.is> |
| 24 | + |
| 25 | + * Oliver Kiddle: security/41: Src/prompt.c: Prevent recursive |
| 26 | + PROMPT_SUBST |
| 27 | + |
| 28 | 2020-02-14 dana <dana@dana.is> |
| 29 | |
| 30 | * unposted: Config/version.mk: Update for 5.8 |
| 31 | diff --git a/Src/prompt.c b/Src/prompt.c |
| 32 | index b65bfb86b..91e21c8e9 100644 |
| 33 | --- a/Src/prompt.c |
| 34 | +++ b/Src/prompt.c |
| 35 | @@ -244,6 +244,12 @@ parsecolorchar(zattr arg, int is_fg) |
| 36 | bv->fm += 2; /* skip over F{ */ |
| 37 | if ((ep = strchr(bv->fm, '}'))) { |
| 38 | char oc = *ep, *col, *coll; |
| 39 | + int ops = opts[PROMPTSUBST], opb = opts[PROMPTBANG]; |
| 40 | + int opp = opts[PROMPTPERCENT]; |
| 41 | + |
| 42 | + opts[PROMPTPERCENT] = 1; |
| 43 | + opts[PROMPTSUBST] = opts[PROMPTBANG] = 0; |
| 44 | + |
| 45 | *ep = '\0'; |
| 46 | /* expand the contents of the argument so you can use |
| 47 | * %v for example */ |
| 48 | @@ -252,6 +258,10 @@ parsecolorchar(zattr arg, int is_fg) |
| 49 | arg = match_colour((const char **)&coll, is_fg, 0); |
| 50 | free(col); |
| 51 | bv->fm = ep; |
| 52 | + |
| 53 | + opts[PROMPTSUBST] = ops; |
| 54 | + opts[PROMPTBANG] = opb; |
| 55 | + opts[PROMPTPERCENT] = opp; |
| 56 | } else { |
| 57 | arg = match_colour((const char **)&bv->fm, is_fg, 0); |
| 58 | if (*bv->fm != '}') |
| 59 | -- |
| 60 | 2.34.1 |