Re: CVE-2021-45444 really fixed in 5.8.1?

[dana <dana@xxxxxxx>]

On Sat 12 Mar 2022, at 08:39, Vincent Bernat wrote:
> Is CVE-2021-45444 really fixed in 5.8.1?
>
> ...
>
> %1 was interpreted while it shouldn't have been?
>
> The provided workaround for older versions work fine.

The issue that was fixed in 5.8.1 is that PROMPT_SUBST evaluation was being
performed in the arguments to e.g. %F. This is not specifically related to
VCS_Info, but it was the most likely place it could cause trouble. e.g.
checking out a git branch name containing %F{...} could have resulted in
arbitrary code execution given a typical VCS_Info configuration. It was
fixed by simply not performing PROMPT_SUBST evaluation in that context any
more.

The issue you're describing is another one which is specific to VCS_Info:
that format sequences are interpreted in e.g. branch names. This was already
a publicly known issue (see workers/42165). Everyone seems to agree that
it's problematic, but we decided to delay shipping a true fix in for it
because (with the PROMPT_SUBST patch in place) we couldn't identify an
actual vulnerability beyond just the displayed values not matching their
literal ones, and changing the way it works will break some VCS_Info
configurations.

The work-around we provided for users who can't upgrade is one possible fix
that we considered. It happens to avoid the PROMPT_SUBST evaluation issue,
in VCS_Info only, by not allowing %F to be interpreted in those values at
all. It can also be used (with a slight modification to the script that
applies it) by 5.8.1 users who are worried about those sequences being
interpreted. But, as mentioned, it'll break some existing configurations.

There was discussion of finalising this fix for 5.9 but i'm not sure if
that'll happen or not.

dana