diff options
| author | dana <dana@dana.is> | 2021-12-21 13:13:33 -0600 |
|---|---|---|
| committer | dana <dana@dana.is> | 2022-02-12 10:29:55 -0600 |
| commit | f7fa575a593c27fb2540aca64ef790340d60addf (patch) | |
| tree | 2f7b63af701b0f257e9ce7819bc7d5fdb39d432d | |
| parent | d2df4c8ee400059e828f14b7f3cdfa24c0095d1f (diff) | |
| download | zsh-f7fa575a593c27fb2540aca64ef790340d60addf.tar.gz zsh-f7fa575a593c27fb2540aca64ef790340d60addf.tar.xz zsh-f7fa575a593c27fb2540aca64ef790340d60addf.zip | |
CVE-2021-45444: Update NEWS/README
(cherry picked from commit bdc4d70a7e033b754e68a8659a037ea0fc5f38de)
| -rw-r--r-- | ChangeLog | 2 | ||||
| -rw-r--r-- | NEWS | 17 | ||||
| -rw-r--r-- | README | 3 |
3 files changed, 22 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog index 1bdeabc54..255a3dbe8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,7 @@ 2022-02-12 dana <dana@dana.is> + * CVE-2021-45444: NEWS, README: Document preceding two changes + * Marc Cornellà: security/89: Etc/CVE-2021-45444-VCS_Info-workaround.patch: Add patch which can optionally be used to work around recursive PROMPT_SUBST diff --git a/NEWS b/NEWS index 3459391e7..1e9926c05 100644 --- a/NEWS +++ b/NEWS @@ -7,6 +7,23 @@ Note also the list of incompatibilities in the README file. Changes since 5.8 ----------------- +CVE-2021-45444: Some prompt expansion sequences, such as %F, support +'arguments' which are themselves expanded in case they contain colour +values, etc. This additional expansion would trigger PROMPT_SUBST +evaluation, if enabled. This could be abused to execute code the user +didn't expect. e.g., given a certain prompt configuration, an attacker +could trick a user into executing arbitrary code by having them check +out a Git branch with a specially crafted name. + +This is fixed in the shell itself by no longer performing PROMPT_SUBST +evaluation on these prompt-expansion arguments. + +Users who are concerned about an exploit but unable to update their +binaries may apply the partial work-around described in the file +Etc/CVE-2021-45444-VCS_Info-workaround.patch included with the shell +source. [ Reported by RyotaK <security@ryotak.me>. Additional thanks to +Marc Cornellà <hello@mcornella.com>. ] + When unsetting a hash element, the string enclosed in square brackets is interpreted literally after any normal command-line-argument expansions. Thus diff --git a/README b/README index 3ef8afcd1..f493375ce 100644 --- a/README +++ b/README @@ -34,6 +34,9 @@ details, see the documentation. Incompatibilities since 5.8 --------------------------- +PROMPT_SUBST expansion is no longer performed on arguments to prompt- +expansion sequences such as %F. + Build-time change: The default value of the --enable-gdbm configure argument has changed from "yes" to "no". Thus, the zsh/db/gdbm module will not be built unless --enable-gdbm is passed explicitly. |