packages/zsh
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2021-45444

Browse Source
This commit is contained in:
jlwwlsqc 2022-03-01 16:55:00 +08:00
parent d59ad5d827
commit f32e936d97
3 changed files with 149 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
backport-CVE-2021-45444-1.patch Normal file
View File

@ -0,0 +1,42 @@
From c187154f47697cdbf822c2f9d714d570ed4a0fd1 Mon Sep 17 00:00:00 2001
From: Oliver Kiddle <opk@zsh.org>
Date: Wed, 15 Dec 2021 01:56:40 +0100
Subject: [PATCH] security/41: Don't perform PROMPT_SUBST evaluation on %F/%K
arguments
Mitigates CVE-2021-45444
---
Src/prompt.c | 10 ++++++++++
1 files changed, 10 insertions(+)
diff --git a/Src/prompt.c b/Src/prompt.c
index b65bfb8..91e21c8 100644
--- a/Src/prompt.c
+++ b/Src/prompt.c
@@ -244,6 +244,12 @@ parsecolorchar(zattr arg, int is_fg)
bv->fm += 2; /* skip over F{ */
if ((ep = strchr(bv->fm, '}'))) {
char oc = *ep, *col, *coll;
+ int ops = opts[PROMPTSUBST], opb = opts[PROMPTBANG];
+ int opp = opts[PROMPTPERCENT];
+
+ opts[PROMPTPERCENT] = 1;
+ opts[PROMPTSUBST] = opts[PROMPTBANG] = 0;
+
*ep = '\0';
/* expand the contents of the argument so you can use
* %v for example */
@@ -252,6 +258,10 @@ parsecolorchar(zattr arg, int is_fg)
arg = match_colour((const char **)&coll, is_fg, 0);
free(col);
bv->fm = ep;
+
+ opts[PROMPTSUBST] = ops;
+ opts[PROMPTBANG] = opb;
+ opts[PROMPTPERCENT] = opp;
} else {
arg = match_colour((const char **)&bv->fm, is_fg, 0);
if (*bv->fm != '}')
--
1.8.3.1

98
backport-CVE-2021-45444-2.patch Normal file
View File

@ -0,0 +1,98 @@
From 972887bbe5eb6a00e5f0e73781d6d73bfdcafb93 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc=20Cornell=C3=A0?= <hello@mcornella.com>
Date: Mon, 24 Jan 2022 09:43:28 +0100
Subject: [PATCH] security/89: Partially work around CVE-2021-45444 in VCS_Info
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This patch is a partial, VCS_Info-specific work-around for CVE-2021-45444,
which is mitigated in the shell itself in 5.8.1 and later versions. It is
offered for users who are concerned about an exploit but are unable to update
their binaries to receive the complete fix.
The patch works around the vulnerability by pre-escaping values substituted
into format strings in VCS_Info. Please note that this may break some user
configurations that rely on those values being un-escaped (which is why it was
not included directly in 5.8.1). It may be possible to limit this breakage by
adjusting exactly which ones are pre-escaped, but of course this may leave
them vulnerable again.
If applying the patch to the file system is inconvenient or not possible, the
following script can be used to idempotently patch the relevant function
running in memory (and thus must be re-run when the shell is restarted):
# Impacted versions go from v5.0.3 to v5.8 (v5.8.1 is the first patched version)
autoload -Uz is-at-least
if is-at-least 5.8.1 || ! is-at-least 5.0.3; then
return
fi
# Quote necessary $hook_com[<field>] items just before they are used
# in the line "VCS_INFO_hook 'post-backend'" of the VCS_INFO_formats
# function, where <field> is:
#
# base: the full path of the repository's root directory.
# base-name: the name of the repository's root directory.
# branch: the name of the currently checked out branch.
# revision: an identifier of the currently checked out revision.
# subdir: the path of the current directory relative to the
# repository's root directory.
# misc: a string that may contain anything the vcs_info backend wants.
#
# This patch %-quotes these fields previous to their use in vcs_info hooks and
# the zformat call and, eventually, when they get expanded in the prompt.
# It's important to quote these here, and not later after hooks have modified the
# fields, because then we could be quoting % characters from valid prompt sequences,
# like %F{color}, %B, etc.
#
# 32 │ hook_com[subdir]="$(VCS_INFO_reposub ${hook_com[base]})"
# 33 │ hook_com[subdir_orig]="${hook_com[subdir]}"
# 34 │
# 35 + │ for tmp in base base-name branch misc revision subdir; do
# 36 + │ hook_com[$tmp]="${hook_com[$tmp]//\%/%%}"
# 37 + │ done
# 38 + │
# 39 │ VCS_INFO_hook 'post-backend'
#
# This is especially important so that no command substitution is performed
# due to malicious input as a consequence of CVE-2021-45444, which affects
# zsh versions from 5.0.3 to 5.8.
#
autoload -Uz +X regexp-replace VCS_INFO_formats
# We use $tmp here because it's already a local variable in VCS_INFO_formats
typeset PATCH='for tmp (base base-name branch misc revision subdir) hook_com[$tmp]="${hook_com[$tmp]//\%/%%}"'
# Unique string to avoid reapplying the patch if this code gets called twice
typeset PATCH_ID=vcs_info-patch-9b9840f2-91e5-4471-af84-9e9a0dc68c1b
# Only patch the VCS_INFO_formats function if not already patched
if [[ "$functions[VCS_INFO_formats]" != *$PATCH_ID* ]]; then
regexp-replace 'functions[VCS_INFO_formats]' \
"VCS_INFO_hook 'post-backend'" \
': ${PATCH_ID}; ${PATCH}; ${MATCH}'
fi
unset PATCH PATCH_ID
---
Functions/VCS_Info/VCS_INFO_formats | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/Functions/VCS_Info/VCS_INFO_formats b/Functions/VCS_Info/VCS_INFO_formats
index e0e1dc738..4d88e28b6 100644
--- a/Functions/VCS_Info/VCS_INFO_formats
+++ b/Functions/VCS_Info/VCS_INFO_formats
@@ -32,6 +32,10 @@ hook_com[base-name_orig]="${hook_com[base_name]}"
hook_com[subdir]="$(VCS_INFO_reposub ${hook_com[base]})"
hook_com[subdir_orig]="${hook_com[subdir]}"
+for tmp in base base-name branch misc revision subdir; do
+ hook_com[$tmp]="${hook_com[$tmp]//\%/%%}"
+done
+
VCS_INFO_hook 'post-backend'
## description (for backend authors):
--
2.34.1

10
zsh.spec
View File

@ -2,7 +2,7 @@
Name: zsh Name: zsh
Version: 5.8 Version: 5.8
Release: 2 Release: 3
Summary: A shell designed for interactive use Summary: A shell designed for interactive use
License: MIT License: MIT
URL: http://zsh.sourceforge.net URL: http://zsh.sourceforge.net
@ -27,6 +27,8 @@ Requires(postun): coreutils grep
Provides: /bin/zsh Provides: /bin/zsh
Patch0: backport-Simplify-N-cond-test.patch Patch0: backport-Simplify-N-cond-test.patch
Patch1: backport-CVE-2021-45444-1.patch
Patch2: backport-CVE-2021-45444-2.patch
%description %description
The zsh is a shell designed for interactive use, and it is also a powerful scripting language. Many of The zsh is a shell designed for interactive use, and it is also a powerful scripting language. Many of
@ -130,6 +132,12 @@ fi
%{_infodir}/* %{_infodir}/*
%changelog %changelog
* Tue Mar 1 2022 wangjie <wangjie375@h-partners.com> - 5.8-3
- Type: CVE
- ID: CVE-2021-45444
- SUG: NA
- DESC: fix CVE-2021-45444
* Sat Mar 20 2021 shenyangyang <shenyangyang4@huawei.com> - 5.8-2 * Sat Mar 20 2021 shenyangyang <shenyangyang4@huawei.com> - 5.8-2
- Type:enhancement - Type:enhancement
- ID:NA - ID:NA