fix CVE-2021-45444
This commit is contained in:
jlwwlsqc
parent
d59ad5d827
commit
f32e936d97
42
backport-CVE-2021-45444-1.patch
Normal file
42
backport-CVE-2021-45444-1.patch
Normal file
@ -0,0 +1,42 @@
|
||||
From c187154f47697cdbf822c2f9d714d570ed4a0fd1 Mon Sep 17 00:00:00 2001
|
||||
From: Oliver Kiddle <opk@zsh.org>
|
||||
Date: Wed, 15 Dec 2021 01:56:40 +0100
|
||||
Subject: [PATCH] security/41: Don't perform PROMPT_SUBST evaluation on %F/%K
|
||||
arguments
|
||||
|
||||
Mitigates CVE-2021-45444
|
||||
---
|
||||
Src/prompt.c | 10 ++++++++++
|
||||
1 files changed, 10 insertions(+)
|
||||
|
||||
diff --git a/Src/prompt.c b/Src/prompt.c
|
||||
index b65bfb8..91e21c8 100644
|
||||
--- a/Src/prompt.c
|
||||
+++ b/Src/prompt.c
|
||||
@@ -244,6 +244,12 @@ parsecolorchar(zattr arg, int is_fg)
|
||||
bv->fm += 2; /* skip over F{ */
|
||||
if ((ep = strchr(bv->fm, '}'))) {
|
||||
char oc = *ep, *col, *coll;
|
||||
+ int ops = opts[PROMPTSUBST], opb = opts[PROMPTBANG];
|
||||
+ int opp = opts[PROMPTPERCENT];
|
||||
+
|
||||
+ opts[PROMPTPERCENT] = 1;
|
||||
+ opts[PROMPTSUBST] = opts[PROMPTBANG] = 0;
|
||||
+
|
||||
*ep = '\0';
|
||||
/* expand the contents of the argument so you can use
|
||||
* %v for example */
|
||||
@@ -252,6 +258,10 @@ parsecolorchar(zattr arg, int is_fg)
|
||||
arg = match_colour((const char **)&coll, is_fg, 0);
|
||||
free(col);
|
||||
bv->fm = ep;
|
||||
+
|
||||
+ opts[PROMPTSUBST] = ops;
|
||||
+ opts[PROMPTBANG] = opb;
|
||||
+ opts[PROMPTPERCENT] = opp;
|
||||
} else {
|
||||
arg = match_colour((const char **)&bv->fm, is_fg, 0);
|
||||
if (*bv->fm != '}')
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
98
backport-CVE-2021-45444-2.patch
Normal file
98
backport-CVE-2021-45444-2.patch
Normal file
@ -0,0 +1,98 @@
|
||||
From 972887bbe5eb6a00e5f0e73781d6d73bfdcafb93 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Marc=20Cornell=C3=A0?= <hello@mcornella.com>
|
||||
Date: Mon, 24 Jan 2022 09:43:28 +0100
|
||||
Subject: [PATCH] security/89: Partially work around CVE-2021-45444 in VCS_Info
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This patch is a partial, VCS_Info-specific work-around for CVE-2021-45444,
|
||||
which is mitigated in the shell itself in 5.8.1 and later versions. It is
|
||||
offered for users who are concerned about an exploit but are unable to update
|
||||
their binaries to receive the complete fix.
|
||||
|
||||
The patch works around the vulnerability by pre-escaping values substituted
|
||||
into format strings in VCS_Info. Please note that this may break some user
|
||||
configurations that rely on those values being un-escaped (which is why it was
|
||||
not included directly in 5.8.1). It may be possible to limit this breakage by
|
||||
adjusting exactly which ones are pre-escaped, but of course this may leave
|
||||
them vulnerable again.
|
||||
|
||||
If applying the patch to the file system is inconvenient or not possible, the
|
||||
following script can be used to idempotently patch the relevant function
|
||||
running in memory (and thus must be re-run when the shell is restarted):
|
||||
|
||||
|
||||
# Impacted versions go from v5.0.3 to v5.8 (v5.8.1 is the first patched version)
|
||||
autoload -Uz is-at-least
|
||||
if is-at-least 5.8.1 || ! is-at-least 5.0.3; then
|
||||
return
|
||||
fi
|
||||
|
||||
# Quote necessary $hook_com[<field>] items just before they are used
|
||||
# in the line "VCS_INFO_hook 'post-backend'" of the VCS_INFO_formats
|
||||
# function, where <field> is:
|
||||
#
|
||||
# base: the full path of the repository's root directory.
|
||||
# base-name: the name of the repository's root directory.
|
||||
# branch: the name of the currently checked out branch.
|
||||
# revision: an identifier of the currently checked out revision.
|
||||
# subdir: the path of the current directory relative to the
|
||||
# repository's root directory.
|
||||
# misc: a string that may contain anything the vcs_info backend wants.
|
||||
#
|
||||
# This patch %-quotes these fields previous to their use in vcs_info hooks and
|
||||
# the zformat call and, eventually, when they get expanded in the prompt.
|
||||
# It's important to quote these here, and not later after hooks have modified the
|
||||
# fields, because then we could be quoting % characters from valid prompt sequences,
|
||||
# like %F{color}, %B, etc.
|
||||
#
|
||||
# 32 │ hook_com[subdir]="$(VCS_INFO_reposub ${hook_com[base]})"
|
||||
# 33 │ hook_com[subdir_orig]="${hook_com[subdir]}"
|
||||
# 34 │
|
||||
# 35 + │ for tmp in base base-name branch misc revision subdir; do
|
||||
# 36 + │ hook_com[$tmp]="${hook_com[$tmp]//\%/%%}"
|
||||
# 37 + │ done
|
||||
# 38 + │
|
||||
# 39 │ VCS_INFO_hook 'post-backend'
|
||||
#
|
||||
# This is especially important so that no command substitution is performed
|
||||
# due to malicious input as a consequence of CVE-2021-45444, which affects
|
||||
# zsh versions from 5.0.3 to 5.8.
|
||||
#
|
||||
autoload -Uz +X regexp-replace VCS_INFO_formats
|
||||
|
||||
# We use $tmp here because it's already a local variable in VCS_INFO_formats
|
||||
typeset PATCH='for tmp (base base-name branch misc revision subdir) hook_com[$tmp]="${hook_com[$tmp]//\%/%%}"'
|
||||
# Unique string to avoid reapplying the patch if this code gets called twice
|
||||
typeset PATCH_ID=vcs_info-patch-9b9840f2-91e5-4471-af84-9e9a0dc68c1b
|
||||
# Only patch the VCS_INFO_formats function if not already patched
|
||||
if [[ "$functions[VCS_INFO_formats]" != *$PATCH_ID* ]]; then
|
||||
regexp-replace 'functions[VCS_INFO_formats]' \
|
||||
"VCS_INFO_hook 'post-backend'" \
|
||||
': ${PATCH_ID}; ${PATCH}; ${MATCH}'
|
||||
fi
|
||||
unset PATCH PATCH_ID
|
||||
|
||||
|
||||
---
|
||||
Functions/VCS_Info/VCS_INFO_formats | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/Functions/VCS_Info/VCS_INFO_formats b/Functions/VCS_Info/VCS_INFO_formats
|
||||
index e0e1dc738..4d88e28b6 100644
|
||||
--- a/Functions/VCS_Info/VCS_INFO_formats
|
||||
+++ b/Functions/VCS_Info/VCS_INFO_formats
|
||||
@@ -32,6 +32,10 @@ hook_com[base-name_orig]="${hook_com[base_name]}"
|
||||
hook_com[subdir]="$(VCS_INFO_reposub ${hook_com[base]})"
|
||||
hook_com[subdir_orig]="${hook_com[subdir]}"
|
||||
|
||||
+for tmp in base base-name branch misc revision subdir; do
|
||||
+ hook_com[$tmp]="${hook_com[$tmp]//\%/%%}"
|
||||
+done
|
||||
+
|
||||
VCS_INFO_hook 'post-backend'
|
||||
|
||||
## description (for backend authors):
|
||||
--
|
||||
2.34.1
|
||||
10
zsh.spec
10
zsh.spec
@ -2,7 +2,7 @@
|
||||
|
||||
Name: zsh
|
||||
Version: 5.8
|
||||
Release: 2
|
||||
Release: 3
|
||||
Summary: A shell designed for interactive use
|
||||
License: MIT
|
||||
URL: http://zsh.sourceforge.net
|
||||
@ -27,6 +27,8 @@ Requires(postun): coreutils grep
|
||||
Provides: /bin/zsh
|
||||
|
||||
Patch0: backport-Simplify-N-cond-test.patch
|
||||
Patch1: backport-CVE-2021-45444-1.patch
|
||||
Patch2: backport-CVE-2021-45444-2.patch
|
||||
|
||||
%description
|
||||
The zsh is a shell designed for interactive use, and it is also a powerful scripting language. Many of
|
||||
@ -130,6 +132,12 @@ fi
|
||||
%{_infodir}/*
|
||||
|
||||
%changelog
|
||||
* Tue Mar 1 2022 wangjie <wangjie375@h-partners.com> - 5.8-3
|
||||
- Type: CVE
|
||||
- ID: CVE-2021-45444
|
||||
- SUG: NA
|
||||
- DESC: fix CVE-2021-45444
|
||||
|
||||
* Sat Mar 20 2021 shenyangyang <shenyangyang4@huawei.com> - 5.8-2
|
||||
- Type:enhancement
|
||||
- ID:NA
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user