zsh-5.8.1

[Bruce Dubbs]

New point version.

[Bruce Dubbs]

• Src/input.c: add 'static' to shinsavestack

• Src/init.c, Src/input.c: Replace stdio for buffered shell input to avoid memory management interacting with signal handlers.

• Src/Zle/zle_keymap.c, Test/X03zlebindkey.ztst: fix segfault by 'bindkey -d' with reordered keymapnamtab

• Jun-ichi Takimoto: 47560: configure.ac, aczsh.m4: add necessary includes or prototypes for the tests in configure (fix errors in macOS 11)

• unposted: Completion/Unix/Command/_git: Fix copy/paste error in earlier commit that broke git stash drop

• Marc Cornellà: security/82 (tweaked): Functions/VCS_Info/VCS_INFO_formats: Fix typo in hook_com[base-name_orig] assignment

• CVE-2021-45444: NEWS, README: Document preceding two changes

• Etc/CVE-2021-45444-VCS_Info-workaround.patch: Add patch which can optionally be used to work around recursive PROMPT_SUBST issue in VCS_Info

• security/41: Src/prompt.c: Prevent recursive PROMPT_SUBST

[Douglas R. Reno]

    CVE-2021-45444: Some prompt expansion sequences, such as %F, support 'arguments' which are themselves expanded in case they contain colour values, etc. This additional expansion would trigger PROMPT_SUBST evaluation, if enabled. This could be abused to execute code the user didn't expect. e.g., given a certain prompt configuration, an attacker could trick a user into executing arbitrary code by having them check out a Git branch with a specially crafted name.

    This is fixed in the shell itself by no longer performing PROMPT_SUBST evaluation on these prompt-expansion arguments.

    Users who are concerned about an exploit but unable to update their binaries may apply the partial work-around described in the file Etc/CVE-2021-45444-VCS_Info-workaround.patch included with the shell source. [ Reported by RyotaK. Additional thanks to Marc Cornellà. ]

[Bruce Dubbs]

Fixed at commit 3e6ac08f9e0d2b2601a2f917b37467df82425e86

Package updates.
    Update to hexchat-2.16.1.
    Update to harfbuzz-3.4.0.
    Update to zsh-5.8.1.