Andrew Geissler | c5535c9 | 2023-01-27 16:10:19 -0600 | [diff] [blame^] | 1 | From 8a4d65ef6d0023ab9b238529410afb433553d2fa Mon Sep 17 00:00:00 2001 |
| 2 | From: Marc Cornellà <hello@mcornella.com> |
| 3 | Date: Mon, 24 Jan 2022 09:43:28 +0100 |
| 4 | Subject: [PATCH 2/9] security/89: Add patch which can optionally be used to |
| 5 | work around CVE-2021-45444 in VCS_Info |
| 6 | Comment: Updated to use the same file name without blanks as actually |
| 7 | used in the final 5.8.1 release. |
| 8 | |
| 9 | |
| 10 | https://salsa.debian.org/debian/zsh/-/blob/debian/5.8-6+deb11u1/debian/patches/cherry-pick-CVE-2021-45444_2.patch |
| 11 | Upstream-Status: Backport |
| 12 | CVE: CVE-2021-45444 |
| 13 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> |
| 14 | --- |
| 15 | ChangeLog | 5 + |
| 16 | Etc/CVE-2021-45444-VCS_Info-workaround.patch | 98 ++++++++++++++++++++ |
| 17 | 2 files changed, 103 insertions(+) |
| 18 | create mode 100644 Etc/CVE-2021-45444-VCS_Info-workaround.patch |
| 19 | |
| 20 | diff --git a/ChangeLog b/ChangeLog |
| 21 | index eb248ec06..9a05a09e1 100644 |
| 22 | --- a/ChangeLog |
| 23 | +++ b/ChangeLog |
| 24 | @@ -1,5 +1,10 @@ |
| 25 | 2022-01-27 dana <dana@dana.is> |
| 26 | |
| 27 | + * Marc Cornellà: security/89: |
| 28 | + Etc/CVE-2021-45444-VCS_Info-workaround.patch: Add patch which |
| 29 | + can optionally be used to work around recursive PROMPT_SUBST |
| 30 | + issue in VCS_Info |
| 31 | + |
| 32 | * Oliver Kiddle: security/41: Src/prompt.c: Prevent recursive |
| 33 | PROMPT_SUBST |
| 34 | |
| 35 | diff --git a/Etc/CVE-2021-45444-VCS_Info-workaround.patch b/Etc/CVE-2021-45444-VCS_Info-workaround.patch |
| 36 | new file mode 100644 |
| 37 | index 000000000..13e54be77 |
| 38 | --- /dev/null |
| 39 | +++ b/Etc/CVE-2021-45444-VCS_Info-workaround.patch |
| 40 | @@ -0,0 +1,98 @@ |
| 41 | +From 972887bbe5eb6a00e5f0e73781d6d73bfdcafb93 Mon Sep 17 00:00:00 2001 |
| 42 | +From: =?UTF-8?q?Marc=20Cornell=C3=A0?= <hello@mcornella.com> |
| 43 | +Date: Mon, 24 Jan 2022 09:43:28 +0100 |
| 44 | +Subject: [PATCH] security/89: Partially work around CVE-2021-45444 in VCS_Info |
| 45 | +MIME-Version: 1.0 |
| 46 | +Content-Type: text/plain; charset=UTF-8 |
| 47 | +Content-Transfer-Encoding: 8bit |
| 48 | + |
| 49 | +This patch is a partial, VCS_Info-specific work-around for CVE-2021-45444, |
| 50 | +which is mitigated in the shell itself in 5.8.1 and later versions. It is |
| 51 | +offered for users who are concerned about an exploit but are unable to update |
| 52 | +their binaries to receive the complete fix. |
| 53 | + |
| 54 | +The patch works around the vulnerability by pre-escaping values substituted |
| 55 | +into format strings in VCS_Info. Please note that this may break some user |
| 56 | +configurations that rely on those values being un-escaped (which is why it was |
| 57 | +not included directly in 5.8.1). It may be possible to limit this breakage by |
| 58 | +adjusting exactly which ones are pre-escaped, but of course this may leave |
| 59 | +them vulnerable again. |
| 60 | + |
| 61 | +If applying the patch to the file system is inconvenient or not possible, the |
| 62 | +following script can be used to idempotently patch the relevant function |
| 63 | +running in memory (and thus must be re-run when the shell is restarted): |
| 64 | + |
| 65 | + |
| 66 | +# Impacted versions go from v5.0.3 to v5.8 (v5.8.1 is the first patched version) |
| 67 | +autoload -Uz is-at-least |
| 68 | +if is-at-least 5.8.1 || ! is-at-least 5.0.3; then |
| 69 | + return |
| 70 | +fi |
| 71 | + |
| 72 | +# Quote necessary $hook_com[<field>] items just before they are used |
| 73 | +# in the line "VCS_INFO_hook 'post-backend'" of the VCS_INFO_formats |
| 74 | +# function, where <field> is: |
| 75 | +# |
| 76 | +# base: the full path of the repository's root directory. |
| 77 | +# base-name: the name of the repository's root directory. |
| 78 | +# branch: the name of the currently checked out branch. |
| 79 | +# revision: an identifier of the currently checked out revision. |
| 80 | +# subdir: the path of the current directory relative to the |
| 81 | +# repository's root directory. |
| 82 | +# misc: a string that may contain anything the vcs_info backend wants. |
| 83 | +# |
| 84 | +# This patch %-quotes these fields previous to their use in vcs_info hooks and |
| 85 | +# the zformat call and, eventually, when they get expanded in the prompt. |
| 86 | +# It's important to quote these here, and not later after hooks have modified the |
| 87 | +# fields, because then we could be quoting % characters from valid prompt sequences, |
| 88 | +# like %F{color}, %B, etc. |
| 89 | +# |
| 90 | +# 32 │ hook_com[subdir]="$(VCS_INFO_reposub ${hook_com[base]})" |
| 91 | +# 33 │ hook_com[subdir_orig]="${hook_com[subdir]}" |
| 92 | +# 34 │ |
| 93 | +# 35 + │ for tmp in base base-name branch misc revision subdir; do |
| 94 | +# 36 + │ hook_com[$tmp]="${hook_com[$tmp]//\%/%%}" |
| 95 | +# 37 + │ done |
| 96 | +# 38 + │ |
| 97 | +# 39 │ VCS_INFO_hook 'post-backend' |
| 98 | +# |
| 99 | +# This is especially important so that no command substitution is performed |
| 100 | +# due to malicious input as a consequence of CVE-2021-45444, which affects |
| 101 | +# zsh versions from 5.0.3 to 5.8. |
| 102 | +# |
| 103 | +autoload -Uz +X regexp-replace VCS_INFO_formats |
| 104 | + |
| 105 | +# We use $tmp here because it's already a local variable in VCS_INFO_formats |
| 106 | +typeset PATCH='for tmp (base base-name branch misc revision subdir) hook_com[$tmp]="${hook_com[$tmp]//\%/%%}"' |
| 107 | +# Unique string to avoid reapplying the patch if this code gets called twice |
| 108 | +typeset PATCH_ID=vcs_info-patch-9b9840f2-91e5-4471-af84-9e9a0dc68c1b |
| 109 | +# Only patch the VCS_INFO_formats function if not already patched |
| 110 | +if [[ "$functions[VCS_INFO_formats]" != *$PATCH_ID* ]]; then |
| 111 | + regexp-replace 'functions[VCS_INFO_formats]' \ |
| 112 | + "VCS_INFO_hook 'post-backend'" \ |
| 113 | + ': ${PATCH_ID}; ${PATCH}; ${MATCH}' |
| 114 | +fi |
| 115 | +unset PATCH PATCH_ID |
| 116 | + |
| 117 | + |
| 118 | +--- |
| 119 | + Functions/VCS_Info/VCS_INFO_formats | 4 ++++ |
| 120 | + 1 file changed, 4 insertions(+) |
| 121 | + |
| 122 | +diff --git a/Functions/VCS_Info/VCS_INFO_formats b/Functions/VCS_Info/VCS_INFO_formats |
| 123 | +index e0e1dc738..4d88e28b6 100644 |
| 124 | +--- a/Functions/VCS_Info/VCS_INFO_formats |
| 125 | ++++ b/Functions/VCS_Info/VCS_INFO_formats |
| 126 | +@@ -32,6 +32,10 @@ hook_com[base-name_orig]="${hook_com[base_name]}" |
| 127 | + hook_com[subdir]="$(VCS_INFO_reposub ${hook_com[base]})" |
| 128 | + hook_com[subdir_orig]="${hook_com[subdir]}" |
| 129 | + |
| 130 | ++for tmp in base base-name branch misc revision subdir; do |
| 131 | ++ hook_com[$tmp]="${hook_com[$tmp]//\%/%%}" |
| 132 | ++done |
| 133 | ++ |
| 134 | + VCS_INFO_hook 'post-backend' |
| 135 | + |
| 136 | + ## description (for backend authors): |
| 137 | +-- |
| 138 | +2.34.1 |
| 139 | -- |
| 140 | 2.34.1 |