diff --git a/backport-CVE-2021-45444-1.patch b/backport-CVE-2021-45444-1.patch deleted file mode 100644 index c43f858..0000000 --- a/backport-CVE-2021-45444-1.patch +++ /dev/null @@ -1,42 +0,0 @@ -From c187154f47697cdbf822c2f9d714d570ed4a0fd1 Mon Sep 17 00:00:00 2001 -From: Oliver Kiddle -Date: Wed, 15 Dec 2021 01:56:40 +0100 -Subject: [PATCH] security/41: Don't perform PROMPT_SUBST evaluation on %F/%K - arguments - -Mitigates CVE-2021-45444 ---- - Src/prompt.c | 10 ++++++++++ - 1 files changed, 10 insertions(+) - -diff --git a/Src/prompt.c b/Src/prompt.c -index b65bfb8..91e21c8 100644 ---- a/Src/prompt.c -+++ b/Src/prompt.c -@@ -244,6 +244,12 @@ parsecolorchar(zattr arg, int is_fg) - bv->fm += 2; /* skip over F{ */ - if ((ep = strchr(bv->fm, '}'))) { - char oc = *ep, *col, *coll; -+ int ops = opts[PROMPTSUBST], opb = opts[PROMPTBANG]; -+ int opp = opts[PROMPTPERCENT]; -+ -+ opts[PROMPTPERCENT] = 1; -+ opts[PROMPTSUBST] = opts[PROMPTBANG] = 0; -+ - *ep = '\0'; - /* expand the contents of the argument so you can use - * %v for example */ -@@ -252,6 +258,10 @@ parsecolorchar(zattr arg, int is_fg) - arg = match_colour((const char **)&coll, is_fg, 0); - free(col); - bv->fm = ep; -+ -+ opts[PROMPTSUBST] = ops; -+ opts[PROMPTBANG] = opb; -+ opts[PROMPTPERCENT] = opp; - } else { - arg = match_colour((const char **)&bv->fm, is_fg, 0); - if (*bv->fm != '}') --- -1.8.3.1 - diff --git a/backport-CVE-2021-45444-2.patch b/backport-CVE-2021-45444-2.patch deleted file mode 100644 index 13e54be..0000000 --- a/backport-CVE-2021-45444-2.patch +++ /dev/null @@ -1,98 +0,0 @@ -From 972887bbe5eb6a00e5f0e73781d6d73bfdcafb93 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Marc=20Cornell=C3=A0?= -Date: Mon, 24 Jan 2022 09:43:28 +0100 -Subject: [PATCH] security/89: Partially work around CVE-2021-45444 in VCS_Info -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This patch is a partial, VCS_Info-specific work-around for CVE-2021-45444, -which is mitigated in the shell itself in 5.8.1 and later versions. It is -offered for users who are concerned about an exploit but are unable to update -their binaries to receive the complete fix. - -The patch works around the vulnerability by pre-escaping values substituted -into format strings in VCS_Info. Please note that this may break some user -configurations that rely on those values being un-escaped (which is why it was -not included directly in 5.8.1). It may be possible to limit this breakage by -adjusting exactly which ones are pre-escaped, but of course this may leave -them vulnerable again. - -If applying the patch to the file system is inconvenient or not possible, the -following script can be used to idempotently patch the relevant function -running in memory (and thus must be re-run when the shell is restarted): - - -# Impacted versions go from v5.0.3 to v5.8 (v5.8.1 is the first patched version) -autoload -Uz is-at-least -if is-at-least 5.8.1 || ! is-at-least 5.0.3; then - return -fi - -# Quote necessary $hook_com[] items just before they are used -# in the line "VCS_INFO_hook 'post-backend'" of the VCS_INFO_formats -# function, where is: -# -# base: the full path of the repository's root directory. -# base-name: the name of the repository's root directory. -# branch: the name of the currently checked out branch. -# revision: an identifier of the currently checked out revision. -# subdir: the path of the current directory relative to the -# repository's root directory. -# misc: a string that may contain anything the vcs_info backend wants. -# -# This patch %-quotes these fields previous to their use in vcs_info hooks and -# the zformat call and, eventually, when they get expanded in the prompt. -# It's important to quote these here, and not later after hooks have modified the -# fields, because then we could be quoting % characters from valid prompt sequences, -# like %F{color}, %B, etc. -# -# 32 │ hook_com[subdir]="$(VCS_INFO_reposub ${hook_com[base]})" -# 33 │ hook_com[subdir_orig]="${hook_com[subdir]}" -# 34 │ -# 35 + │ for tmp in base base-name branch misc revision subdir; do -# 36 + │ hook_com[$tmp]="${hook_com[$tmp]//\%/%%}" -# 37 + │ done -# 38 + │ -# 39 │ VCS_INFO_hook 'post-backend' -# -# This is especially important so that no command substitution is performed -# due to malicious input as a consequence of CVE-2021-45444, which affects -# zsh versions from 5.0.3 to 5.8. -# -autoload -Uz +X regexp-replace VCS_INFO_formats - -# We use $tmp here because it's already a local variable in VCS_INFO_formats -typeset PATCH='for tmp (base base-name branch misc revision subdir) hook_com[$tmp]="${hook_com[$tmp]//\%/%%}"' -# Unique string to avoid reapplying the patch if this code gets called twice -typeset PATCH_ID=vcs_info-patch-9b9840f2-91e5-4471-af84-9e9a0dc68c1b -# Only patch the VCS_INFO_formats function if not already patched -if [[ "$functions[VCS_INFO_formats]" != *$PATCH_ID* ]]; then - regexp-replace 'functions[VCS_INFO_formats]' \ - "VCS_INFO_hook 'post-backend'" \ - ': ${PATCH_ID}; ${PATCH}; ${MATCH}' -fi -unset PATCH PATCH_ID - - ---- - Functions/VCS_Info/VCS_INFO_formats | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/Functions/VCS_Info/VCS_INFO_formats b/Functions/VCS_Info/VCS_INFO_formats -index e0e1dc738..4d88e28b6 100644 ---- a/Functions/VCS_Info/VCS_INFO_formats -+++ b/Functions/VCS_Info/VCS_INFO_formats -@@ -32,6 +32,10 @@ hook_com[base-name_orig]="${hook_com[base_name]}" - hook_com[subdir]="$(VCS_INFO_reposub ${hook_com[base]})" - hook_com[subdir_orig]="${hook_com[subdir]}" - -+for tmp in base base-name branch misc revision subdir; do -+ hook_com[$tmp]="${hook_com[$tmp]//\%/%%}" -+done -+ - VCS_INFO_hook 'post-backend' - - ## description (for backend authors): --- -2.34.1 diff --git a/backport-Simplify-N-cond-test.patch b/backport-Simplify-N-cond-test.patch deleted file mode 100644 index 0333968..0000000 --- a/backport-Simplify-N-cond-test.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 80ddc46e54f6116235e68d3fc039ef775e72d1c5 Mon Sep 17 00:00:00 2001 -From: dana -Date: Wed, 11 Mar 2020 21:17:12 -0500 -Subject: [PATCH] 45470: C02cond: Simplify '-N cond' test - -This fixes an (intermittent?) issue with the test on macOS+APFS, and hopefully -makes it simpler and faster in general ---- - Test/C02cond.ztst | 36 ++++++++++++------------------------ - 1 files changed, 12 insertions(+), 24 deletions(-) - -diff --git a/Test/C02cond.ztst b/Test/C02cond.ztst -index 4b1ec02f0..5b105b2a0 100644 ---- a/Test/C02cond.ztst -+++ b/Test/C02cond.ztst -@@ -146,39 +146,27 @@ - - # can't be bothered with -S - -- if [[ ${mtab::="$({mount || /sbin/mount || /usr/sbin/mount} 2>/dev/null)"} = *[(]?*[)] ]]; then -- print -u $ZTST_fd 'This test takes two seconds...' -- else -- unmodified_ls="$(ls -lu $unmodified)" -- print -u $ZTST_fd 'This test takes up to 60 seconds...' -- fi -- sleep 2 -+ print -ru $ZTST_fd 'This test may take two seconds...' - touch $newnewnew - if [[ $OSTYPE == "cygwin" ]]; then - ZTST_skip="[[ -N file ]] not supported on Cygwin" - elif (( isnfs )); then - ZTST_skip="[[ -N file ]] not supported with NFS" -- elif { (( ! $+unmodified_ls )) && -- cat $unmodified && -- { df -k -- ${$(print -r -- "$mtab" | -- awk '/noatime/ {print $1,$3}'):-""} | tr -s ' ' | -- fgrep -- "$(df -k . | tail -1 | tr -s ' ')" } >&/dev/null } || -- { (( $+unmodified_ls )) && SECONDS=0 && -- ! until (( SECONDS >= 58 )); do -- ZTST_hashmark; sleep 2; cat $unmodified -- [[ $unmodified_ls != "$(ls -lu $unmodified)" ]] && break -- done }; then -- ZTST_skip="[[ -N file ]] not supported with noatime file system" -+ elif ! zmodload -F zsh/stat b:zstat 2> /dev/null; then -+ ZTST_skip='[[ -N file ]] not tested; zsh/stat not available' -+ elif ! { sleep 2; touch -a $unmodified 2> /dev/null }; then -+ ZTST_skip='[[ -N file ]] not tested; touch failed' -+ elif [[ "$(zstat +atime $unmodified)" == "$(zstat +mtime $unmodified)" ]]; then -+ ZTST_skip='[[ -N file ]] not supported on this file system' - else - [[ -N $newnewnew && ! -N $unmodified ]] - fi - 0:-N cond --F:This test can fail on NFS-mounted filesystems as the access and --F:modification times are not updated separately. The test will fail --F:on HFS+ (Apple Mac OS X default) filesystems because access times --F:are not recorded. Also, Linux ext3 filesystems may be mounted --F:with the noatime option which does not update access times. --F:Failures in these cases do not indicate a problem in the shell. -+F:This test relies on the file system supporting atime updates. It -+F:should automatically detect whether this is the case, and skip -+F:without failing if it isn't, but it's possible that some -+F:configurations may elude this detection. Please report this -+F:scenario if you encounter it. - - [[ $newnewnew -nt $zlnfs && ! ($unmodified -nt $zlnfs) ]] - 0:-nt cond diff --git a/zsh-5.8.tar.xz b/zsh-5.8.tar.xz deleted file mode 100644 index 460152c..0000000 Binary files a/zsh-5.8.tar.xz and /dev/null differ diff --git a/zsh-5.9.tar.xz b/zsh-5.9.tar.xz new file mode 100644 index 0000000..7fac164 Binary files /dev/null and b/zsh-5.9.tar.xz differ diff --git a/zsh.spec b/zsh.spec index 3ec3c90..c497100 100644 --- a/zsh.spec +++ b/zsh.spec @@ -1,8 +1,8 @@ %define _bindir /bin Name: zsh -Version: 5.8 -Release: 3 +Version: 5.9 +Release: 1 Summary: A shell designed for interactive use License: MIT URL: http://zsh.sourceforge.net @@ -26,10 +26,6 @@ Requires(postun): coreutils grep Provides: /bin/zsh -Patch0: backport-Simplify-N-cond-test.patch -Patch1: backport-CVE-2021-45444-1.patch -Patch2: backport-CVE-2021-45444-2.patch - %description The zsh is a shell designed for interactive use, and it is also a powerful scripting language. Many of the useful features of bash, ksh, and tcsh were incorporated into zsh. It can match files by file extension @@ -132,6 +128,9 @@ fi %{_infodir}/* %changelog +* Sun Oct 9 2022 dillon chen < dillon.chen@gmail.com> - 5.9-1 +- update to 5.9 + * Tue Mar 1 2022 wangjie - 5.8-3 - Type: CVE - ID: CVE-2021-45444