1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
|
From 8a4d65ef6d0023ab9b238529410afb433553d2fa Mon Sep 17 00:00:00 2001
From: Marc Cornellà <hello@mcornella.com>
Date: Mon, 24 Jan 2022 09:43:28 +0100
Subject: [PATCH 2/9] security/89: Add patch which can optionally be used to
work around CVE-2021-45444 in VCS_Info
Comment: Updated to use the same file name without blanks as actually
used in the final 5.8.1 release.
https://salsa.debian.org/debian/zsh/-/blob/debian/5.8-6+deb11u1/debian/patches/cherry-pick-CVE-2021-45444_2.patch
Upstream-Status: Backport
CVE: CVE-2021-45444
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
---
ChangeLog | 5 +
Etc/CVE-2021-45444-VCS_Info-workaround.patch | 98 ++++++++++++++++++++
2 files changed, 103 insertions(+)
create mode 100644 Etc/CVE-2021-45444-VCS_Info-workaround.patch
diff --git a/ChangeLog b/ChangeLog
index eb248ec06..9a05a09e1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,10 @@
2022-01-27 dana <dana@dana.is>
+ * Marc Cornellà: security/89:
+ Etc/CVE-2021-45444-VCS_Info-workaround.patch: Add patch which
+ can optionally be used to work around recursive PROMPT_SUBST
+ issue in VCS_Info
+
* Oliver Kiddle: security/41: Src/prompt.c: Prevent recursive
PROMPT_SUBST
diff --git a/Etc/CVE-2021-45444-VCS_Info-workaround.patch b/Etc/CVE-2021-45444-VCS_Info-workaround.patch
new file mode 100644
index 000000000..13e54be77
--- /dev/null
+++ b/Etc/CVE-2021-45444-VCS_Info-workaround.patch
@@ -0,0 +1,98 @@
+From 972887bbe5eb6a00e5f0e73781d6d73bfdcafb93 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc=20Cornell=C3=A0?= <hello@mcornella.com>
+Date: Mon, 24 Jan 2022 09:43:28 +0100
+Subject: [PATCH] security/89: Partially work around CVE-2021-45444 in VCS_Info
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch is a partial, VCS_Info-specific work-around for CVE-2021-45444,
+which is mitigated in the shell itself in 5.8.1 and later versions. It is
+offered for users who are concerned about an exploit but are unable to update
+their binaries to receive the complete fix.
+
+The patch works around the vulnerability by pre-escaping values substituted
+into format strings in VCS_Info. Please note that this may break some user
+configurations that rely on those values being un-escaped (which is why it was
+not included directly in 5.8.1). It may be possible to limit this breakage by
+adjusting exactly which ones are pre-escaped, but of course this may leave
+them vulnerable again.
+
+If applying the patch to the file system is inconvenient or not possible, the
+following script can be used to idempotently patch the relevant function
+running in memory (and thus must be re-run when the shell is restarted):
+
+
+# Impacted versions go from v5.0.3 to v5.8 (v5.8.1 is the first patched version)
+autoload -Uz is-at-least
+if is-at-least 5.8.1 || ! is-at-least 5.0.3; then
+ return
+fi
+
+# Quote necessary $hook_com[<field>] items just before they are used
+# in the line "VCS_INFO_hook 'post-backend'" of the VCS_INFO_formats
+# function, where <field> is:
+#
+# base: the full path of the repository's root directory.
+# base-name: the name of the repository's root directory.
+# branch: the name of the currently checked out branch.
+# revision: an identifier of the currently checked out revision.
+# subdir: the path of the current directory relative to the
+# repository's root directory.
+# misc: a string that may contain anything the vcs_info backend wants.
+#
+# This patch %-quotes these fields previous to their use in vcs_info hooks and
+# the zformat call and, eventually, when they get expanded in the prompt.
+# It's important to quote these here, and not later after hooks have modified the
+# fields, because then we could be quoting % characters from valid prompt sequences,
+# like %F{color}, %B, etc.
+#
+# 32 │ hook_com[subdir]="$(VCS_INFO_reposub ${hook_com[base]})"
+# 33 │ hook_com[subdir_orig]="${hook_com[subdir]}"
+# 34 │
+# 35 + │ for tmp in base base-name branch misc revision subdir; do
+# 36 + │ hook_com[$tmp]="${hook_com[$tmp]//\%/%%}"
+# 37 + │ done
+# 38 + │
+# 39 │ VCS_INFO_hook 'post-backend'
+#
+# This is especially important so that no command substitution is performed
+# due to malicious input as a consequence of CVE-2021-45444, which affects
+# zsh versions from 5.0.3 to 5.8.
+#
+autoload -Uz +X regexp-replace VCS_INFO_formats
+
+# We use $tmp here because it's already a local variable in VCS_INFO_formats
+typeset PATCH='for tmp (base base-name branch misc revision subdir) hook_com[$tmp]="${hook_com[$tmp]//\%/%%}"'
+# Unique string to avoid reapplying the patch if this code gets called twice
+typeset PATCH_ID=vcs_info-patch-9b9840f2-91e5-4471-af84-9e9a0dc68c1b
+# Only patch the VCS_INFO_formats function if not already patched
+if [[ "$functions[VCS_INFO_formats]" != *$PATCH_ID* ]]; then
+ regexp-replace 'functions[VCS_INFO_formats]' \
+ "VCS_INFO_hook 'post-backend'" \
+ ': ${PATCH_ID}; ${PATCH}; ${MATCH}'
+fi
+unset PATCH PATCH_ID
+
+
+---
+ Functions/VCS_Info/VCS_INFO_formats | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/Functions/VCS_Info/VCS_INFO_formats b/Functions/VCS_Info/VCS_INFO_formats
+index e0e1dc738..4d88e28b6 100644
+--- a/Functions/VCS_Info/VCS_INFO_formats
++++ b/Functions/VCS_Info/VCS_INFO_formats
+@@ -32,6 +32,10 @@ hook_com[base-name_orig]="${hook_com[base_name]}"
+ hook_com[subdir]="$(VCS_INFO_reposub ${hook_com[base]})"
+ hook_com[subdir_orig]="${hook_com[subdir]}"
+
++for tmp in base base-name branch misc revision subdir; do
++ hook_com[$tmp]="${hook_com[$tmp]//\%/%%}"
++done
++
+ VCS_INFO_hook 'post-backend'
+
+ ## description (for backend authors):
+--
+2.34.1
--
2.34.1
|
