1From 8a4d65ef6d0023ab9b238529410afb433553d2fa Mon Sep 17 00:00:00 2001 2From: Marc Cornellà <hello@mcornella.com> 3Date: Mon, 24 Jan 2022 09:43:28 +0100 4Subject: [PATCH 2/9] security/89: Add patch which can optionally be used to 5 work around CVE-2021-45444 in VCS_Info 6Comment: Updated to use the same file name without blanks as actually 7 used in the final 5.8.1 release. 8 9 10https://salsa.debian.org/debian/zsh/-/blob/debian/5.8-6+deb11u1/debian/patches/cherry-pick-CVE-2021-45444_2.patch 11Upstream-Status: Backport 12CVE: CVE-2021-45444 13Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> 14--- 15 ChangeLog | 5 + 16 Etc/CVE-2021-45444-VCS_Info-workaround.patch | 98 ++++++++++++++++++++ 17 2 files changed, 103 insertions(+) 18 create mode 100644 Etc/CVE-2021-45444-VCS_Info-workaround.patch 19 20diff --git a/ChangeLog b/ChangeLog 21index eb248ec06..9a05a09e1 100644 22--- a/ChangeLog 23+++ b/ChangeLog 24@@ -1,5 +1,10 @@ 25 2022-01-27 dana <dana@dana.is> 26 27+ * Marc Cornellà: security/89: 28+ Etc/CVE-2021-45444-VCS_Info-workaround.patch: Add patch which 29+ can optionally be used to work around recursive PROMPT_SUBST 30+ issue in VCS_Info 31+ 32 * Oliver Kiddle: security/41: Src/prompt.c: Prevent recursive 33 PROMPT_SUBST 34 35diff --git a/Etc/CVE-2021-45444-VCS_Info-workaround.patch b/Etc/CVE-2021-45444-VCS_Info-workaround.patch 36new file mode 100644 37index 000000000..13e54be77 38--- /dev/null 39+++ b/Etc/CVE-2021-45444-VCS_Info-workaround.patch 40@@ -0,0 +1,98 @@ 41+From 972887bbe5eb6a00e5f0e73781d6d73bfdcafb93 Mon Sep 17 00:00:00 2001 42+From: =?UTF-8?q?Marc=20Cornell=C3=A0?= <hello@mcornella.com> 43+Date: Mon, 24 Jan 2022 09:43:28 +0100 44+Subject: [PATCH] security/89: Partially work around CVE-2021-45444 in VCS_Info 45+MIME-Version: 1.0 46+Content-Type: text/plain; charset=UTF-8 47+Content-Transfer-Encoding: 8bit 48+ 49+This patch is a partial, VCS_Info-specific work-around for CVE-2021-45444, 50+which is mitigated in the shell itself in 5.8.1 and later versions. It is 51+offered for users who are concerned about an exploit but are unable to update 52+their binaries to receive the complete fix. 53+ 54+The patch works around the vulnerability by pre-escaping values substituted 55+into format strings in VCS_Info. Please note that this may break some user 56+configurations that rely on those values being un-escaped (which is why it was 57+not included directly in 5.8.1). It may be possible to limit this breakage by 58+adjusting exactly which ones are pre-escaped, but of course this may leave 59+them vulnerable again. 60+ 61+If applying the patch to the file system is inconvenient or not possible, the 62+following script can be used to idempotently patch the relevant function 63+running in memory (and thus must be re-run when the shell is restarted): 64+ 65+ 66+# Impacted versions go from v5.0.3 to v5.8 (v5.8.1 is the first patched version) 67+autoload -Uz is-at-least 68+if is-at-least 5.8.1 || ! is-at-least 5.0.3; then 69+ return 70+fi 71+ 72+# Quote necessary $hook_com[<field>] items just before they are used 73+# in the line "VCS_INFO_hook 'post-backend'" of the VCS_INFO_formats 74+# function, where <field> is: 75+# 76+# base: the full path of the repository's root directory. 77+# base-name: the name of the repository's root directory. 78+# branch: the name of the currently checked out branch. 79+# revision: an identifier of the currently checked out revision. 80+# subdir: the path of the current directory relative to the 81+# repository's root directory. 82+# misc: a string that may contain anything the vcs_info backend wants. 83+# 84+# This patch %-quotes these fields previous to their use in vcs_info hooks and 85+# the zformat call and, eventually, when they get expanded in the prompt. 86+# It's important to quote these here, and not later after hooks have modified the 87+# fields, because then we could be quoting % characters from valid prompt sequences, 88+# like %F{color}, %B, etc. 89+# 90+# 32 │ hook_com[subdir]="$(VCS_INFO_reposub ${hook_com[base]})" 91+# 33 │ hook_com[subdir_orig]="${hook_com[subdir]}" 92+# 34 │ 93+# 35 + │ for tmp in base base-name branch misc revision subdir; do 94+# 36 + │ hook_com[$tmp]="${hook_com[$tmp]//\%/%%}" 95+# 37 + │ done 96+# 38 + │ 97+# 39 │ VCS_INFO_hook 'post-backend' 98+# 99+# This is especially important so that no command substitution is performed 100+# due to malicious input as a consequence of CVE-2021-45444, which affects 101+# zsh versions from 5.0.3 to 5.8. 102+# 103+autoload -Uz +X regexp-replace VCS_INFO_formats 104+ 105+# We use $tmp here because it's already a local variable in VCS_INFO_formats 106+typeset PATCH='for tmp (base base-name branch misc revision subdir) hook_com[$tmp]="${hook_com[$tmp]//\%/%%}"' 107+# Unique string to avoid reapplying the patch if this code gets called twice 108+typeset PATCH_ID=vcs_info-patch-9b9840f2-91e5-4471-af84-9e9a0dc68c1b 109+# Only patch the VCS_INFO_formats function if not already patched 110+if [[ "$functions[VCS_INFO_formats]" != *$PATCH_ID* ]]; then 111+ regexp-replace 'functions[VCS_INFO_formats]' \ 112+ "VCS_INFO_hook 'post-backend'" \ 113+ ': ${PATCH_ID}; ${PATCH}; ${MATCH}' 114+fi 115+unset PATCH PATCH_ID 116+ 117+ 118+--- 119+ Functions/VCS_Info/VCS_INFO_formats | 4 ++++ 120+ 1 file changed, 4 insertions(+) 121+ 122+diff --git a/Functions/VCS_Info/VCS_INFO_formats b/Functions/VCS_Info/VCS_INFO_formats 123+index e0e1dc738..4d88e28b6 100644 124+--- a/Functions/VCS_Info/VCS_INFO_formats 125++++ b/Functions/VCS_Info/VCS_INFO_formats 126+@@ -32,6 +32,10 @@ hook_com[base-name_orig]="${hook_com[base_name]}" 127+ hook_com[subdir]="$(VCS_INFO_reposub ${hook_com[base]})" 128+ hook_com[subdir_orig]="${hook_com[subdir]}" 129+ 130++for tmp in base base-name branch misc revision subdir; do 131++ hook_com[$tmp]="${hook_com[$tmp]//\%/%%}" 132++done 133++ 134+ VCS_INFO_hook 'post-backend' 135+ 136+ ## description (for backend authors): 137+-- 138+2.34.1 139-- 1402.34.1 141