1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
|
From 4abf2fc193fc2f3e680deecbf81289a7b02e245b Mon Sep 17 00:00:00 2001
From: dana <dana@dana.is>
Date: Tue, 21 Dec 2021 13:13:33 -0600
Subject: [PATCH 3/9] CVE-2021-45444: Update NEWS/README
https://salsa.debian.org/debian/zsh/-/blob/debian/5.8-6+deb11u1/debian/patches/cherry-pick-CVE-2021-45444_3.patch
Upstream-Status: Backport
CVE: CVE-2021-45444
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
---
ChangeLog | 2 ++
NEWS | 20 ++++++++++++++++++++
README | 6 ++++++
3 files changed, 28 insertions(+)
diff --git a/ChangeLog b/ChangeLog
index 9a05a09e1..93b0bc337 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,7 @@
2022-01-27 dana <dana@dana.is>
+ * CVE-2021-45444: NEWS, README: Document preceding two changes
+
* Marc Cornellà: security/89:
Etc/CVE-2021-45444-VCS_Info-workaround.patch: Add patch which
can optionally be used to work around recursive PROMPT_SUBST
diff --git a/NEWS b/NEWS
index 964e1633f..d34b3f79e 100644
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,26 @@ CHANGES FROM PREVIOUS VERSIONS OF ZSH
Note also the list of incompatibilities in the README file.
+Changes since 5.8
+-----------------
+
+CVE-2021-45444: Some prompt expansion sequences, such as %F, support
+'arguments' which are themselves expanded in case they contain colour
+values, etc. This additional expansion would trigger PROMPT_SUBST
+evaluation, if enabled. This could be abused to execute code the user
+didn't expect. e.g., given a certain prompt configuration, an attacker
+could trick a user into executing arbitrary code by having them check
+out a Git branch with a specially crafted name.
+
+This is fixed in the shell itself by no longer performing PROMPT_SUBST
+evaluation on these prompt-expansion arguments.
+
+Users who are concerned about an exploit but unable to update their
+binaries may apply the partial work-around described in the file
+'Etc/CVE-2021-45444 VCS_Info workaround.patch' included with the shell
+source. [ Reported by RyotaK <security@ryotak.me>. Additional thanks to
+Marc Cornellà <hello@mcornella.com>. ]
+
Changes since 5.7.1-test-3
--------------------------
diff --git a/README b/README
index 7f1dd5f92..c9e994ab3 100644
--- a/README
+++ b/README
@@ -31,6 +31,12 @@ Zsh is a shell with lots of features. For a list of some of these, see the
file FEATURES, and for the latest changes see NEWS. For more
details, see the documentation.
+Incompatibilities since 5.8
+---------------------------
+
+PROMPT_SUBST expansion is no longer performed on arguments to prompt-
+expansion sequences such as %F.
+
Incompatibilities since 5.7.1
-----------------------------
--
2.34.1
|
