diff options
Diffstat (limited to 'meta-oe/recipes-shells')
-rw-r--r-- | meta-oe/recipes-shells/dash/dash_0.5.12.bb (renamed from meta-oe/recipes-shells/dash/dash_0.5.11.2.bb) | 11 | ||||
-rw-r--r-- | meta-oe/recipes-shells/mksh/mksh_59c.bb (renamed from meta-oe/recipes-shells/mksh/mksh_59.bb) | 11 | ||||
-rw-r--r-- | meta-oe/recipes-shells/tcsh/tcsh/0001-Enable-system-malloc-on-all-linux.patch | 12 | ||||
-rw-r--r-- | meta-oe/recipes-shells/tcsh/tcsh/0001-Remove-defining-handle_interrupt-twice.patch | 28 | ||||
-rw-r--r-- | meta-oe/recipes-shells/tcsh/tcsh/0002-Add-debian-csh-scripts.patch | 2 | ||||
-rw-r--r-- | meta-oe/recipes-shells/tcsh/tcsh_6.24.12.bb (renamed from meta-oe/recipes-shells/tcsh/tcsh_6.22.02.bb) | 21 | ||||
-rw-r--r-- | meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_1.patch | 60 | ||||
-rw-r--r-- | meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_2.patch | 140 | ||||
-rw-r--r-- | meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_3.patch | 77 | ||||
-rw-r--r-- | meta-oe/recipes-shells/zsh/zsh_5.8.bb (renamed from meta-oe/recipes-shells/zsh/zsh_5.4.2.bb) | 35 |
10 files changed, 324 insertions, 73 deletions
diff --git a/meta-oe/recipes-shells/dash/dash_0.5.11.2.bb b/meta-oe/recipes-shells/dash/dash_0.5.12.bb index f59e6d1f7a..947ef702d7 100644 --- a/meta-oe/recipes-shells/dash/dash_0.5.11.2.bb +++ b/meta-oe/recipes-shells/dash/dash_0.5.12.bb @@ -2,26 +2,25 @@ SUMMARY = "Small and fast POSIX-compliant shell" HOMEPAGE = "http://gondor.apana.org.au/~herbert/dash/" SECTION = "System Environment/Shells" -LICENSE = "BSD & GPLv2+" +LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://COPYING;md5=b5262b4a1a1bff72b48e935531976d2e" inherit autotools update-alternatives SRC_URI = "http://gondor.apana.org.au/~herbert/${BPN}/files/${BP}.tar.gz" -SRC_URI[md5sum] = "b9b71c72e40fdc4db9b4ffb81fc3bebc" -SRC_URI[sha256sum] = "00fb7d68b7599cc41ab151051c06c01e9500540183d8aa72116cb9c742bd6d5f" +SRC_URI[sha256sum] = "6a474ac46e8b0b32916c4c60df694c82058d3297d8b385b74508030ca4a8f28a" EXTRA_OECONF += "--bindir=${base_bindir}" -ALTERNATIVE_${PN} = "sh" +ALTERNATIVE:${PN} = "sh" ALTERNATIVE_LINK_NAME[sh] = "${base_bindir}/sh" ALTERNATIVE_TARGET[sh] = "${base_bindir}/dash" ALTERNATIVE_PRIORITY = "10" -pkg_postinst_${PN} () { +pkg_postinst:${PN} () { grep -q "^${base_bindir}/dash$" $D${sysconfdir}/shells || echo ${base_bindir}/dash >> $D${sysconfdir}/shells } -pkg_postrm_${PN} () { +pkg_postrm:${PN} () { printf "$(grep -v "^${base_bindir}/dash$" $D${sysconfdir}/shells)\n" > $D${sysconfdir}/shells } diff --git a/meta-oe/recipes-shells/mksh/mksh_59.bb b/meta-oe/recipes-shells/mksh/mksh_59c.bb index 110e793b07..e3a8ca8b5e 100644 --- a/meta-oe/recipes-shells/mksh/mksh_59.bb +++ b/meta-oe/recipes-shells/mksh/mksh_59c.bb @@ -7,16 +7,17 @@ LIC_FILES_CHKSUM = "file://main.c;beginline=6;endline=26;md5=6efc2c249328e4d2bd3 file://strlcpy.c;beginline=1;endline=17;md5=d953f28f0c43ee29e238ec9bc15df2a0 \ " -SRC_URI = "http://www.mirbsd.org/MirOS/dist/mir/mksh/mksh-R59b.tgz" +SRC_URI = "http://www.mirbsd.org/MirOS/dist/mir/${BPN}/${BPN}-R${PV}.tgz" -SRC_URI[md5sum] = "dce6abffc2036288540b9ba11dfb2ec8" -SRC_URI[sha256sum] = "907ed1a9586e7f18bdefdd4a763aaa8397b755e15034aa54f4d753bfb272e0e6" +SRC_URI[sha256sum] = "77ae1665a337f1c48c61d6b961db3e52119b38e58884d1c89684af31f87bc506" + +UPSTREAM_CHECK_REGEX = "${BPN}-R(?P<pver>.*)\.tgz" inherit update-alternatives S = "${WORKDIR}/${BPN}" -ALTERNATIVE_${PN} = "sh" +ALTERNATIVE:${PN} = "sh" ALTERNATIVE_LINK_NAME[sh] = "${base_bindir}/sh" ALTERNATIVE_TARGET[sh] = "${base_bindir}/${BPN}" ALTERNATIVE_PRIORITY = "100" @@ -33,4 +34,4 @@ do_install() { install -m 0644 ${S}/dot.mkshrc ${D}${sysconfdir}/skel/.mkshrc } -RPROVIDES_${PN} += "${@bb.utils.contains('DISTRO_FEATURES', 'usrmerge', '/bin/sh', '', d)}" +RPROVIDES:${PN} += "${@bb.utils.contains('DISTRO_FEATURES', 'usrmerge', '/bin/sh', '', d)}" diff --git a/meta-oe/recipes-shells/tcsh/tcsh/0001-Enable-system-malloc-on-all-linux.patch b/meta-oe/recipes-shells/tcsh/tcsh/0001-Enable-system-malloc-on-all-linux.patch index ff2f6a3b68..3a3970ba95 100644 --- a/meta-oe/recipes-shells/tcsh/tcsh/0001-Enable-system-malloc-on-all-linux.patch +++ b/meta-oe/recipes-shells/tcsh/tcsh/0001-Enable-system-malloc-on-all-linux.patch @@ -9,22 +9,24 @@ as well. So switch to using system malloc Signed-off-by: Khem Raj <raj.khem@gmail.com> --- +Upstream-Status: Pending + config_f.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config_f.h b/config_f.h -index 6a632a5..0a66960 100644 +index fb9e69b..c207c25 100644 --- a/config_f.h +++ b/config_f.h -@@ -139,7 +139,7 @@ +@@ -147,7 +147,7 @@ * This can be much slower and no memory statistics will be * provided. */ --#if defined(__MACHTEN__) || defined(PURIFY) || defined(MALLOC_TRACE) || defined(_OSD_POSIX) || defined(__MVS__) || defined (__CYGWIN__) || defined(__GLIBC__) || defined(__OpenBSD__) || defined(__APPLE__) || defined (__ANDROID__) -+#if defined(__MACHTEN__) || defined(PURIFY) || defined(MALLOC_TRACE) || defined(_OSD_POSIX) || defined(__MVS__) || defined (__CYGWIN__) || defined(__linux__) || defined(__OpenBSD__) || defined(__APPLE__) +-#if defined(__MACHTEN__) || defined(PURIFY) || defined(MALLOC_TRACE) || defined(_OSD_POSIX) || defined(__MVS__) || defined (__CYGWIN__) || defined(__GLIBC__) || defined(__OpenBSD__) || defined(__APPLE__) || defined (__ANDROID__) || defined(__NetBSD__) || !defined(HAVE_WORKING_SBRK) ++#if defined(__MACHTEN__) || defined(PURIFY) || defined(MALLOC_TRACE) || defined(_OSD_POSIX) || defined(__MVS__) || defined (__CYGWIN__) || defined(__linux__) || defined(__OpenBSD__) || defined(__APPLE__) || defined (__ANDROID__) || defined(__NetBSD__) || !defined(HAVE_WORKING_SBRK) # define SYSMALLOC #else # undef SYSMALLOC -- -2.12.1 +2.34.1 diff --git a/meta-oe/recipes-shells/tcsh/tcsh/0001-Remove-defining-handle_interrupt-twice.patch b/meta-oe/recipes-shells/tcsh/tcsh/0001-Remove-defining-handle_interrupt-twice.patch deleted file mode 100644 index d6d6ae06de..0000000000 --- a/meta-oe/recipes-shells/tcsh/tcsh/0001-Remove-defining-handle_interrupt-twice.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 2c77b61506aa867a873e3691214983b3eb7f652d Mon Sep 17 00:00:00 2001 -From: Khem Raj <raj.khem@gmail.com> -Date: Thu, 13 Aug 2020 19:49:35 -0700 -Subject: [PATCH] Remove defining handle_interrupt twice - -Fixes build with -fno-common - -Upstream-Status: Pending -Signed-off-by: Khem Raj <raj.khem@gmail.com> ---- - tc.sig.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/tc.sig.c b/tc.sig.c -index 77659ca..576605a 100644 ---- a/tc.sig.c -+++ b/tc.sig.c -@@ -56,7 +56,6 @@ int alrmcatch_disabled; /* = 0; */ - int phup_disabled; /* = 0; */ - int pchild_disabled; /* = 0; */ - int pintr_disabled; /* = 0; */ --int handle_interrupt; /* = 0; */ - - int - handle_pending_signals(void) --- -2.28.0 - diff --git a/meta-oe/recipes-shells/tcsh/tcsh/0002-Add-debian-csh-scripts.patch b/meta-oe/recipes-shells/tcsh/tcsh/0002-Add-debian-csh-scripts.patch index e4de6f7fe5..63b22075af 100644 --- a/meta-oe/recipes-shells/tcsh/tcsh/0002-Add-debian-csh-scripts.patch +++ b/meta-oe/recipes-shells/tcsh/tcsh/0002-Add-debian-csh-scripts.patch @@ -5,6 +5,8 @@ Subject: [PATCH 2/2] Add debian csh scripts Signed-off-by: Khem Raj <raj.khem@gmail.com> --- +Upstream-Status: Pending + csh.cshrc | 15 +++++++++++++++ csh.login | 8 ++++++++ csh.logout | 1 + diff --git a/meta-oe/recipes-shells/tcsh/tcsh_6.22.02.bb b/meta-oe/recipes-shells/tcsh/tcsh_6.24.12.bb index 541f5505f3..058fe6a7c4 100644 --- a/meta-oe/recipes-shells/tcsh/tcsh_6.22.02.bb +++ b/meta-oe/recipes-shells/tcsh/tcsh_6.24.12.bb @@ -12,34 +12,35 @@ SRC_URI = " \ https://astron.com/pub/${BPN}/${BP}.tar.gz \ file://0001-Enable-system-malloc-on-all-linux.patch \ file://0002-Add-debian-csh-scripts.patch \ - file://0001-Remove-defining-handle_interrupt-twice.patch \ " -SRC_URI[md5sum] = "f34909eab33733aecc05d27adc82277b" -SRC_URI[sha256sum] = "ed287158ca1b00ba477e8ea57bac53609838ebcfd05fcb05ca95021b7ebe885b" +SRC_URI[sha256sum] = "e3270ce9667fd5bd2a046687659fcf5fd6a6781326f806ebd724f1e1c9cd4185" EXTRA_OEMAKE += "CC_FOR_GETHOST='${BUILD_CC}'" inherit autotools -do_compile_prepend() { - oe_runmake CC_FOR_GETHOST='${BUILD_CC}' CFLAGS='${BUILD_CFLAGS}' gethost +do_compile:prepend() { + oe_runmake CC_FOR_GETHOST='${BUILD_CC}' CFLAGS='${BUILD_CFLAGS}' LDFLAGS='${BUILD_LDFLAGS}' gethost } -do_install_append () { +do_install:append () { oe_runmake install.man DESTDIR=${D} install -d ${D}${base_bindir} - ln -s /usr/bin/tcsh ${D}${base_bindir}/tcsh - ln -s /usr/bin/tcsh ${D}${base_bindir}/csh + if ! ${@bb.utils.contains('DISTRO_FEATURES','usrmerge','true','false',d)}; then + ln -s /usr/bin/tcsh ${D}${base_bindir}/tcsh + ln -s /usr/bin/tcsh ${D}${base_bindir}/csh + fi install -d ${D}${sysconfdir}/csh/login.d install -m 0644 ${S}/csh.cshrc ${S}/csh.login ${S}/csh.logout ${S}/complete.tcsh ${D}${sysconfdir} install -D -m 0644 ${S}/csh-mode.el ${D}${datadir}/emacs/site-lisp/csh-mode.el } -FILES_${PN} += "${datadir}/emacs/site-lisp/csh-mode.el" +FILES:${PN} += "${datadir}/emacs/site-lisp/csh-mode.el" -pkg_postinst_${PN} () { +pkg_postinst:${PN} () { #!/bin/sh -e echo /usr/bin/tcsh >> $D/etc/shells echo /usr/bin/csh >> $D/etc/shells } +BBCLASSEXTEND = "native nativesdk" diff --git a/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_1.patch b/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_1.patch new file mode 100644 index 0000000000..fb8fa3427f --- /dev/null +++ b/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_1.patch @@ -0,0 +1,60 @@ +Origin: commit c187154f47697cdbf822c2f9d714d570ed4a0fd1 +From: Oliver Kiddle <opk@zsh.org> +Date: Wed, 15 Dec 2021 01:56:40 +0100 +Subject: [PATCH 1/9] security/41: Don't perform PROMPT_SUBST evaluation on + %F/%K arguments + +Mitigates CVE-2021-45444 + +https://salsa.debian.org/debian/zsh/-/raw/debian/5.8-6+deb11u1/debian/patches/cherry-pick-CVE-2021-45444_1.patch?inline=false +Upstream-Status: Backport +CVE: CVE-2021-45444 +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + ChangeLog | 5 +++++ + Src/prompt.c | 10 ++++++++++ + 2 files changed, 15 insertions(+) + +diff --git a/ChangeLog b/ChangeLog +index 8d7dfc169..eb248ec06 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,3 +1,8 @@ ++2022-01-27 dana <dana@dana.is> ++ ++ * Oliver Kiddle: security/41: Src/prompt.c: Prevent recursive ++ PROMPT_SUBST ++ + 2020-02-14 dana <dana@dana.is> + + * unposted: Config/version.mk: Update for 5.8 +diff --git a/Src/prompt.c b/Src/prompt.c +index b65bfb86b..91e21c8e9 100644 +--- a/Src/prompt.c ++++ b/Src/prompt.c +@@ -244,6 +244,12 @@ parsecolorchar(zattr arg, int is_fg) + bv->fm += 2; /* skip over F{ */ + if ((ep = strchr(bv->fm, '}'))) { + char oc = *ep, *col, *coll; ++ int ops = opts[PROMPTSUBST], opb = opts[PROMPTBANG]; ++ int opp = opts[PROMPTPERCENT]; ++ ++ opts[PROMPTPERCENT] = 1; ++ opts[PROMPTSUBST] = opts[PROMPTBANG] = 0; ++ + *ep = '\0'; + /* expand the contents of the argument so you can use + * %v for example */ +@@ -252,6 +258,10 @@ parsecolorchar(zattr arg, int is_fg) + arg = match_colour((const char **)&coll, is_fg, 0); + free(col); + bv->fm = ep; ++ ++ opts[PROMPTSUBST] = ops; ++ opts[PROMPTBANG] = opb; ++ opts[PROMPTPERCENT] = opp; + } else { + arg = match_colour((const char **)&bv->fm, is_fg, 0); + if (*bv->fm != '}') +-- +2.34.1 diff --git a/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_2.patch b/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_2.patch new file mode 100644 index 0000000000..e5b6d7cdc9 --- /dev/null +++ b/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_2.patch @@ -0,0 +1,140 @@ +From 8a4d65ef6d0023ab9b238529410afb433553d2fa Mon Sep 17 00:00:00 2001 +From: Marc Cornellà <hello@mcornella.com> +Date: Mon, 24 Jan 2022 09:43:28 +0100 +Subject: [PATCH 2/9] security/89: Add patch which can optionally be used to + work around CVE-2021-45444 in VCS_Info +Comment: Updated to use the same file name without blanks as actually + used in the final 5.8.1 release. + + +https://salsa.debian.org/debian/zsh/-/blob/debian/5.8-6+deb11u1/debian/patches/cherry-pick-CVE-2021-45444_2.patch +Upstream-Status: Backport +CVE: CVE-2021-45444 +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + ChangeLog | 5 + + Etc/CVE-2021-45444-VCS_Info-workaround.patch | 98 ++++++++++++++++++++ + 2 files changed, 103 insertions(+) + create mode 100644 Etc/CVE-2021-45444-VCS_Info-workaround.patch + +diff --git a/ChangeLog b/ChangeLog +index eb248ec06..9a05a09e1 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,5 +1,10 @@ + 2022-01-27 dana <dana@dana.is> + ++ * Marc Cornellà: security/89: ++ Etc/CVE-2021-45444-VCS_Info-workaround.patch: Add patch which ++ can optionally be used to work around recursive PROMPT_SUBST ++ issue in VCS_Info ++ + * Oliver Kiddle: security/41: Src/prompt.c: Prevent recursive + PROMPT_SUBST + +diff --git a/Etc/CVE-2021-45444-VCS_Info-workaround.patch b/Etc/CVE-2021-45444-VCS_Info-workaround.patch +new file mode 100644 +index 000000000..13e54be77 +--- /dev/null ++++ b/Etc/CVE-2021-45444-VCS_Info-workaround.patch +@@ -0,0 +1,98 @@ ++From 972887bbe5eb6a00e5f0e73781d6d73bfdcafb93 Mon Sep 17 00:00:00 2001 ++From: =?UTF-8?q?Marc=20Cornell=C3=A0?= <hello@mcornella.com> ++Date: Mon, 24 Jan 2022 09:43:28 +0100 ++Subject: [PATCH] security/89: Partially work around CVE-2021-45444 in VCS_Info ++MIME-Version: 1.0 ++Content-Type: text/plain; charset=UTF-8 ++Content-Transfer-Encoding: 8bit ++ ++This patch is a partial, VCS_Info-specific work-around for CVE-2021-45444, ++which is mitigated in the shell itself in 5.8.1 and later versions. It is ++offered for users who are concerned about an exploit but are unable to update ++their binaries to receive the complete fix. ++ ++The patch works around the vulnerability by pre-escaping values substituted ++into format strings in VCS_Info. Please note that this may break some user ++configurations that rely on those values being un-escaped (which is why it was ++not included directly in 5.8.1). It may be possible to limit this breakage by ++adjusting exactly which ones are pre-escaped, but of course this may leave ++them vulnerable again. ++ ++If applying the patch to the file system is inconvenient or not possible, the ++following script can be used to idempotently patch the relevant function ++running in memory (and thus must be re-run when the shell is restarted): ++ ++ ++# Impacted versions go from v5.0.3 to v5.8 (v5.8.1 is the first patched version) ++autoload -Uz is-at-least ++if is-at-least 5.8.1 || ! is-at-least 5.0.3; then ++ return ++fi ++ ++# Quote necessary $hook_com[<field>] items just before they are used ++# in the line "VCS_INFO_hook 'post-backend'" of the VCS_INFO_formats ++# function, where <field> is: ++# ++# base: the full path of the repository's root directory. ++# base-name: the name of the repository's root directory. ++# branch: the name of the currently checked out branch. ++# revision: an identifier of the currently checked out revision. ++# subdir: the path of the current directory relative to the ++# repository's root directory. ++# misc: a string that may contain anything the vcs_info backend wants. ++# ++# This patch %-quotes these fields previous to their use in vcs_info hooks and ++# the zformat call and, eventually, when they get expanded in the prompt. ++# It's important to quote these here, and not later after hooks have modified the ++# fields, because then we could be quoting % characters from valid prompt sequences, ++# like %F{color}, %B, etc. ++# ++# 32 │ hook_com[subdir]="$(VCS_INFO_reposub ${hook_com[base]})" ++# 33 │ hook_com[subdir_orig]="${hook_com[subdir]}" ++# 34 │ ++# 35 + │ for tmp in base base-name branch misc revision subdir; do ++# 36 + │ hook_com[$tmp]="${hook_com[$tmp]//\%/%%}" ++# 37 + │ done ++# 38 + │ ++# 39 │ VCS_INFO_hook 'post-backend' ++# ++# This is especially important so that no command substitution is performed ++# due to malicious input as a consequence of CVE-2021-45444, which affects ++# zsh versions from 5.0.3 to 5.8. ++# ++autoload -Uz +X regexp-replace VCS_INFO_formats ++ ++# We use $tmp here because it's already a local variable in VCS_INFO_formats ++typeset PATCH='for tmp (base base-name branch misc revision subdir) hook_com[$tmp]="${hook_com[$tmp]//\%/%%}"' ++# Unique string to avoid reapplying the patch if this code gets called twice ++typeset PATCH_ID=vcs_info-patch-9b9840f2-91e5-4471-af84-9e9a0dc68c1b ++# Only patch the VCS_INFO_formats function if not already patched ++if [[ "$functions[VCS_INFO_formats]" != *$PATCH_ID* ]]; then ++ regexp-replace 'functions[VCS_INFO_formats]' \ ++ "VCS_INFO_hook 'post-backend'" \ ++ ': ${PATCH_ID}; ${PATCH}; ${MATCH}' ++fi ++unset PATCH PATCH_ID ++ ++ ++--- ++ Functions/VCS_Info/VCS_INFO_formats | 4 ++++ ++ 1 file changed, 4 insertions(+) ++ ++diff --git a/Functions/VCS_Info/VCS_INFO_formats b/Functions/VCS_Info/VCS_INFO_formats ++index e0e1dc738..4d88e28b6 100644 ++--- a/Functions/VCS_Info/VCS_INFO_formats +++++ b/Functions/VCS_Info/VCS_INFO_formats ++@@ -32,6 +32,10 @@ hook_com[base-name_orig]="${hook_com[base_name]}" ++ hook_com[subdir]="$(VCS_INFO_reposub ${hook_com[base]})" ++ hook_com[subdir_orig]="${hook_com[subdir]}" ++ +++for tmp in base base-name branch misc revision subdir; do +++ hook_com[$tmp]="${hook_com[$tmp]//\%/%%}" +++done +++ ++ VCS_INFO_hook 'post-backend' ++ ++ ## description (for backend authors): ++-- ++2.34.1 +-- +2.34.1 diff --git a/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_3.patch b/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_3.patch new file mode 100644 index 0000000000..adfc00ae57 --- /dev/null +++ b/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_3.patch @@ -0,0 +1,77 @@ +From 4abf2fc193fc2f3e680deecbf81289a7b02e245b Mon Sep 17 00:00:00 2001 +From: dana <dana@dana.is> +Date: Tue, 21 Dec 2021 13:13:33 -0600 +Subject: [PATCH 3/9] CVE-2021-45444: Update NEWS/README + +https://salsa.debian.org/debian/zsh/-/blob/debian/5.8-6+deb11u1/debian/patches/cherry-pick-CVE-2021-45444_3.patch +Upstream-Status: Backport +CVE: CVE-2021-45444 +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + ChangeLog | 2 ++ + NEWS | 20 ++++++++++++++++++++ + README | 6 ++++++ + 3 files changed, 28 insertions(+) + +diff --git a/ChangeLog b/ChangeLog +index 9a05a09e1..93b0bc337 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,5 +1,7 @@ + 2022-01-27 dana <dana@dana.is> + ++ * CVE-2021-45444: NEWS, README: Document preceding two changes ++ + * Marc Cornellà: security/89: + Etc/CVE-2021-45444-VCS_Info-workaround.patch: Add patch which + can optionally be used to work around recursive PROMPT_SUBST +diff --git a/NEWS b/NEWS +index 964e1633f..d34b3f79e 100644 +--- a/NEWS ++++ b/NEWS +@@ -4,6 +4,26 @@ CHANGES FROM PREVIOUS VERSIONS OF ZSH + + Note also the list of incompatibilities in the README file. + ++Changes since 5.8 ++----------------- ++ ++CVE-2021-45444: Some prompt expansion sequences, such as %F, support ++'arguments' which are themselves expanded in case they contain colour ++values, etc. This additional expansion would trigger PROMPT_SUBST ++evaluation, if enabled. This could be abused to execute code the user ++didn't expect. e.g., given a certain prompt configuration, an attacker ++could trick a user into executing arbitrary code by having them check ++out a Git branch with a specially crafted name. ++ ++This is fixed in the shell itself by no longer performing PROMPT_SUBST ++evaluation on these prompt-expansion arguments. ++ ++Users who are concerned about an exploit but unable to update their ++binaries may apply the partial work-around described in the file ++'Etc/CVE-2021-45444 VCS_Info workaround.patch' included with the shell ++source. [ Reported by RyotaK <security@ryotak.me>. Additional thanks to ++Marc Cornellà <hello@mcornella.com>. ] ++ + Changes since 5.7.1-test-3 + -------------------------- + +diff --git a/README b/README +index 7f1dd5f92..c9e994ab3 100644 +--- a/README ++++ b/README +@@ -31,6 +31,12 @@ Zsh is a shell with lots of features. For a list of some of these, see the + file FEATURES, and for the latest changes see NEWS. For more + details, see the documentation. + ++Incompatibilities since 5.8 ++--------------------------- ++ ++PROMPT_SUBST expansion is no longer performed on arguments to prompt- ++expansion sequences such as %F. ++ + Incompatibilities since 5.7.1 + ----------------------------- + +-- +2.34.1 diff --git a/meta-oe/recipes-shells/zsh/zsh_5.4.2.bb b/meta-oe/recipes-shells/zsh/zsh_5.8.bb index 3aab65bf5b..7602ff9f64 100644 --- a/meta-oe/recipes-shells/zsh/zsh_5.4.2.bb +++ b/meta-oe/recipes-shells/zsh/zsh_5.8.bb @@ -10,17 +10,20 @@ LIC_FILES_CHKSUM = "file://LICENCE;md5=1a4c4cda3e8096d2fd483ff2f4514fec" DEPENDS = "ncurses bison-native libcap libpcre gdbm groff-native" -SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BP}.tar.gz" -SRC_URI[md5sum] = "dfe156fd69b0d8d1745ecf6d6e02e047" -SRC_URI[sha256sum] = "957bcdb2c57f64c02f673693ea5a7518ef24b6557aeb3a4ce222cefa6d74acc9" +SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}/5.8/${BP}.tar.xz \ + file://CVE-2021-45444_1.patch \ + file://CVE-2021-45444_2.patch \ + file://CVE-2021-45444_3.patch \ + " +SRC_URI[sha256sum] = "dcc4b54cc5565670a65581760261c163d720991f0d06486da61f8d839b52de27" -inherit autotools gettext update-alternatives +inherit autotools-brokensep gettext update-alternatives manpages EXTRA_OECONF = " \ --bindir=${base_bindir} \ --enable-etcdir=${sysconfdir} \ - --enable-fndir=${datadir}/${PN}/${PV}/functions \ - --enable-site-fndir=${datadir}/${PN}/site-functions \ + --enable-fndir=${datadir}/${BPN}/${PV}/functions \ + --enable-site-fndir=${datadir}/${BPN}/site-functions \ --with-term-lib='ncursesw ncurses' \ --with-tcsetpgrp \ --enable-cap \ @@ -35,10 +38,10 @@ export bindir="${base_bindir}" EXTRA_OEMAKE = "-e MAKEFLAGS=" -ALTERNATIVE_${PN} = "sh" +ALTERNATIVE:${PN} = "sh" ALTERNATIVE_LINK_NAME[sh] = "${base_bindir}/sh" ALTERNATIVE_TARGET[sh] = "${base_bindir}/${BPN}" -ALTERNATIVE_PRIORITY = "100" +ALTERNATIVE_PRIORITY = "90" export AUTOHEADER = "true" @@ -47,19 +50,13 @@ do_configure () { oe_runconf } -do_install_append () { - rm -fr ${D}/usr/share - rmdir --ignore-fail-on-non-empty ${D}/usr -} - -pkg_postinst_${PN} () { +pkg_postinst:${PN} () { touch $D${sysconfdir}/shells grep -q "bin/zsh" $D${sysconfdir}/shells || echo /bin/zsh >> $D${sysconfdir}/shells grep -q "bin/sh" $D${sysconfdir}/shells || echo /bin/sh >> $D${sysconfdir}/shells } -FILES_${PN}-dbg += "\ - ${libdir}/${PN}/${PV}/${PN}/.debug/*.so \ - ${libdir}/${PN}/${PV}/${PN}/db/.debug/*.so \ - ${libdir}/${PN}/${PV}/${PN}/net/.debug/*.so \ -" +# work around QA failures with usrmerge installing zsh in /usr/bin/zsh instead of /bin/zsh +# ERROR: QA Issue: /usr/share/zsh/5.8/functions/zed contained in package zsh requires /bin/zsh, but no providers found in RDEPENDS:zsh? [file-rdeps] +# like bash does since https://git.openembedded.org/openembedded-core/commit/?id=4759408677a4e60c5fa7131afcb5bc184cf2f90a +RPROVIDES:${PN} += "${@bb.utils.contains('DISTRO_FEATURES', 'usrmerge', '/bin/zsh', '', d)}" |