mirror of
git://git.code.sf.net/p/zsh/code
synced 2024-05-27 02:16:22 +02:00
CVE-2021-45444: Update NEWS/README
(cherry picked from commit bdc4d70a7e
)
This commit is contained in:
parent
d2df4c8ee4
commit
f7fa575a59
|
@ -1,5 +1,7 @@
|
||||||
2022-02-12 dana <dana@dana.is>
|
2022-02-12 dana <dana@dana.is>
|
||||||
|
|
||||||
|
* CVE-2021-45444: NEWS, README: Document preceding two changes
|
||||||
|
|
||||||
* Marc Cornellà: security/89:
|
* Marc Cornellà: security/89:
|
||||||
Etc/CVE-2021-45444-VCS_Info-workaround.patch: Add patch which
|
Etc/CVE-2021-45444-VCS_Info-workaround.patch: Add patch which
|
||||||
can optionally be used to work around recursive PROMPT_SUBST
|
can optionally be used to work around recursive PROMPT_SUBST
|
||||||
|
|
17
NEWS
17
NEWS
|
@ -7,6 +7,23 @@ Note also the list of incompatibilities in the README file.
|
||||||
Changes since 5.8
|
Changes since 5.8
|
||||||
-----------------
|
-----------------
|
||||||
|
|
||||||
|
CVE-2021-45444: Some prompt expansion sequences, such as %F, support
|
||||||
|
'arguments' which are themselves expanded in case they contain colour
|
||||||
|
values, etc. This additional expansion would trigger PROMPT_SUBST
|
||||||
|
evaluation, if enabled. This could be abused to execute code the user
|
||||||
|
didn't expect. e.g., given a certain prompt configuration, an attacker
|
||||||
|
could trick a user into executing arbitrary code by having them check
|
||||||
|
out a Git branch with a specially crafted name.
|
||||||
|
|
||||||
|
This is fixed in the shell itself by no longer performing PROMPT_SUBST
|
||||||
|
evaluation on these prompt-expansion arguments.
|
||||||
|
|
||||||
|
Users who are concerned about an exploit but unable to update their
|
||||||
|
binaries may apply the partial work-around described in the file
|
||||||
|
Etc/CVE-2021-45444-VCS_Info-workaround.patch included with the shell
|
||||||
|
source. [ Reported by RyotaK <security@ryotak.me>. Additional thanks to
|
||||||
|
Marc Cornellà <hello@mcornella.com>. ]
|
||||||
|
|
||||||
When unsetting a hash element, the string enclosed in square brackets is
|
When unsetting a hash element, the string enclosed in square brackets is
|
||||||
interpreted literally after any normal command-line-argument expansions.
|
interpreted literally after any normal command-line-argument expansions.
|
||||||
Thus
|
Thus
|
||||||
|
|
3
README
3
README
|
@ -34,6 +34,9 @@ details, see the documentation.
|
||||||
Incompatibilities since 5.8
|
Incompatibilities since 5.8
|
||||||
---------------------------
|
---------------------------
|
||||||
|
|
||||||
|
PROMPT_SUBST expansion is no longer performed on arguments to prompt-
|
||||||
|
expansion sequences such as %F.
|
||||||
|
|
||||||
Build-time change: The default value of the --enable-gdbm configure
|
Build-time change: The default value of the --enable-gdbm configure
|
||||||
argument has changed from "yes" to "no". Thus, the zsh/db/gdbm module will
|
argument has changed from "yes" to "no". Thus, the zsh/db/gdbm module will
|
||||||
not be built unless --enable-gdbm is passed explicitly.
|
not be built unless --enable-gdbm is passed explicitly.
|
||||||
|
|
Loading…
Reference in New Issue