Andrew Geissler | c5535c9 | 2023-01-27 16:10:19 -0600 | [diff] [blame^] | 1 | From 4abf2fc193fc2f3e680deecbf81289a7b02e245b Mon Sep 17 00:00:00 2001 |
| 2 | From: dana <dana@dana.is> |
| 3 | Date: Tue, 21 Dec 2021 13:13:33 -0600 |
| 4 | Subject: [PATCH 3/9] CVE-2021-45444: Update NEWS/README |
| 5 | |
| 6 | https://salsa.debian.org/debian/zsh/-/blob/debian/5.8-6+deb11u1/debian/patches/cherry-pick-CVE-2021-45444_3.patch |
| 7 | Upstream-Status: Backport |
| 8 | CVE: CVE-2021-45444 |
| 9 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> |
| 10 | --- |
| 11 | ChangeLog | 2 ++ |
| 12 | NEWS | 20 ++++++++++++++++++++ |
| 13 | README | 6 ++++++ |
| 14 | 3 files changed, 28 insertions(+) |
| 15 | |
| 16 | diff --git a/ChangeLog b/ChangeLog |
| 17 | index 9a05a09e1..93b0bc337 100644 |
| 18 | --- a/ChangeLog |
| 19 | +++ b/ChangeLog |
| 20 | @@ -1,5 +1,7 @@ |
| 21 | 2022-01-27 dana <dana@dana.is> |
| 22 | |
| 23 | + * CVE-2021-45444: NEWS, README: Document preceding two changes |
| 24 | + |
| 25 | * Marc Cornellà: security/89: |
| 26 | Etc/CVE-2021-45444-VCS_Info-workaround.patch: Add patch which |
| 27 | can optionally be used to work around recursive PROMPT_SUBST |
| 28 | diff --git a/NEWS b/NEWS |
| 29 | index 964e1633f..d34b3f79e 100644 |
| 30 | --- a/NEWS |
| 31 | +++ b/NEWS |
| 32 | @@ -4,6 +4,26 @@ CHANGES FROM PREVIOUS VERSIONS OF ZSH |
| 33 | |
| 34 | Note also the list of incompatibilities in the README file. |
| 35 | |
| 36 | +Changes since 5.8 |
| 37 | +----------------- |
| 38 | + |
| 39 | +CVE-2021-45444: Some prompt expansion sequences, such as %F, support |
| 40 | +'arguments' which are themselves expanded in case they contain colour |
| 41 | +values, etc. This additional expansion would trigger PROMPT_SUBST |
| 42 | +evaluation, if enabled. This could be abused to execute code the user |
| 43 | +didn't expect. e.g., given a certain prompt configuration, an attacker |
| 44 | +could trick a user into executing arbitrary code by having them check |
| 45 | +out a Git branch with a specially crafted name. |
| 46 | + |
| 47 | +This is fixed in the shell itself by no longer performing PROMPT_SUBST |
| 48 | +evaluation on these prompt-expansion arguments. |
| 49 | + |
| 50 | +Users who are concerned about an exploit but unable to update their |
| 51 | +binaries may apply the partial work-around described in the file |
| 52 | +'Etc/CVE-2021-45444 VCS_Info workaround.patch' included with the shell |
| 53 | +source. [ Reported by RyotaK <security@ryotak.me>. Additional thanks to |
| 54 | +Marc Cornellà <hello@mcornella.com>. ] |
| 55 | + |
| 56 | Changes since 5.7.1-test-3 |
| 57 | -------------------------- |
| 58 | |
| 59 | diff --git a/README b/README |
| 60 | index 7f1dd5f92..c9e994ab3 100644 |
| 61 | --- a/README |
| 62 | +++ b/README |
| 63 | @@ -31,6 +31,12 @@ Zsh is a shell with lots of features. For a list of some of these, see the |
| 64 | file FEATURES, and for the latest changes see NEWS. For more |
| 65 | details, see the documentation. |
| 66 | |
| 67 | +Incompatibilities since 5.8 |
| 68 | +--------------------------- |
| 69 | + |
| 70 | +PROMPT_SUBST expansion is no longer performed on arguments to prompt- |
| 71 | +expansion sequences such as %F. |
| 72 | + |
| 73 | Incompatibilities since 5.7.1 |
| 74 | ----------------------------- |
| 75 | |
| 76 | -- |
| 77 | 2.34.1 |