Opened 5 months ago

Closed 5 months ago

#16096 closed enhancement (fixed)


Reported by: Bruce Dubbs Owned by: Bruce Dubbs
Priority: elevated Milestone: 11.1
Component: BOOK Version: git
Severity: normal Keywords:


New point version.

Change History (4)

comment:1 by Bruce Dubbs, 5 months ago

Owner: changed from blfs-book to Bruce Dubbs
Status: newassigned

comment:2 by Bruce Dubbs, 5 months ago

  • Src/input.c: add 'static' to shinsavestack
  • Src/init.c, Src/input.c: Replace stdio for buffered shell input to avoid memory management interacting with signal handlers.
  • Src/Zle/zle_keymap.c, Test/X03zlebindkey.ztst: fix segfault by 'bindkey -d' with reordered keymapnamtab
  • Jun-ichi Takimoto: 47560:, aczsh.m4: add necessary includes or prototypes for the tests in configure (fix errors in macOS 11)
  • unposted: Completion/Unix/Command/_git: Fix copy/paste error in earlier commit that broke git stash drop
  • Marc Cornellà: security/82 (tweaked): Functions/VCS_Info/VCS_INFO_formats: Fix typo in hook_com[base-name_orig] assignment
  • CVE-2021-45444: NEWS, README: Document preceding two changes
  • Etc/CVE-2021-45444-VCS_Info-workaround.patch: Add patch which can optionally be used to work around recursive PROMPT_SUBST issue in VCS_Info
  • security/41: Src/prompt.c: Prevent recursive PROMPT_SUBST

comment:3 by Douglas R. Reno, 5 months ago

Priority: normalelevated

    CVE-2021-45444: Some prompt expansion sequences, such as %F, support 'arguments' which are themselves expanded in case they contain colour values, etc. This additional expansion would trigger PROMPT_SUBST evaluation, if enabled. This could be abused to execute code the user didn't expect. e.g., given a certain prompt configuration, an attacker could trick a user into executing arbitrary code by having them check out a Git branch with a specially crafted name.

    This is fixed in the shell itself by no longer performing PROMPT_SUBST evaluation on these prompt-expansion arguments.

    Users who are concerned about an exploit but unable to update their binaries may apply the partial work-around described in the file Etc/CVE-2021-45444-VCS_Info-workaround.patch included with the shell source. [ Reported by RyotaK. Additional thanks to Marc Cornellà. ]

comment:4 by Bruce Dubbs, 5 months ago

Resolution: fixed
Status: assignedclosed

Fixed at commit 3e6ac08f9e0d2b2601a2f917b37467df82425e86

Package updates.
    Update to hexchat-2.16.1.
    Update to harfbuzz-3.4.0.
    Update to zsh-5.8.1.
Note: See TracTickets for help on using tickets.