From f7fa575a593c27fb2540aca64ef790340d60addf Mon Sep 17 00:00:00 2001
From: dana <dana@dana.is>
Date: Tue, 21 Dec 2021 13:13:33 -0600
Subject: CVE-2021-45444: Update NEWS/README

(cherry picked from commit bdc4d70a7e033b754e68a8659a037ea0fc5f38de)
---
 ChangeLog |  2 ++
 NEWS      | 17 +++++++++++++++++
 README    |  3 +++
 3 files changed, 22 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 1bdeabc54..255a3dbe8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,7 @@
 2022-02-12  dana  <dana@dana.is>
 
+	* CVE-2021-45444: NEWS, README: Document preceding two changes
+
 	* Marc Cornellà: security/89:
 	Etc/CVE-2021-45444-VCS_Info-workaround.patch: Add patch which
 	can optionally be used to work around recursive PROMPT_SUBST
diff --git a/NEWS b/NEWS
index 3459391e7..1e9926c05 100644
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,23 @@ Note also the list of incompatibilities in the README file.
 Changes since 5.8
 -----------------
 
+CVE-2021-45444: Some prompt expansion sequences, such as %F, support
+'arguments' which are themselves expanded in case they contain colour
+values, etc. This additional expansion would trigger PROMPT_SUBST
+evaluation, if enabled. This could be abused to execute code the user
+didn't expect. e.g., given a certain prompt configuration, an attacker
+could trick a user into executing arbitrary code by having them check
+out a Git branch with a specially crafted name.
+
+This is fixed in the shell itself by no longer performing PROMPT_SUBST
+evaluation on these prompt-expansion arguments.
+
+Users who are concerned about an exploit but unable to update their
+binaries may apply the partial work-around described in the file
+Etc/CVE-2021-45444-VCS_Info-workaround.patch included with the shell
+source. [ Reported by RyotaK <security@ryotak.me>. Additional thanks to
+Marc Cornellà <hello@mcornella.com>. ]
+
 When unsetting a hash element, the string enclosed in square brackets is
 interpreted literally after any normal command-line-argument expansions.
 Thus
diff --git a/README b/README
index 3ef8afcd1..f493375ce 100644
--- a/README
+++ b/README
@@ -34,6 +34,9 @@ details, see the documentation.
 Incompatibilities since 5.8
 ---------------------------
 
+PROMPT_SUBST expansion is no longer performed on arguments to prompt-
+expansion sequences such as %F.
+
 Build-time change: The default value of the --enable-gdbm configure
 argument has changed from "yes" to "no".  Thus, the zsh/db/gdbm module will
 not be built unless --enable-gdbm is passed explicitly.
-- 
cgit 1.4.1