Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: CVE-2021-45444 really fixed in 5.8.1?

X-seq: zsh-users 27550
From: Vincent Bernat <bernat@xxxxxxxx>
To: dana <dana@xxxxxxx>
Cc: zsh-users@xxxxxxx
Subject: Re: CVE-2021-45444 really fixed in 5.8.1?
Date: Sat, 12 Mar 2022 23:58:57 +0100
Archived-at: <https://zsh.org/users/27550>
In-reply-to: <8e5ef93a-85b0-4a04-9b3a-01452f29e68f@www.fastmail.com> (dana@dana.is's message of "Sat, 12 Mar 2022 16:45:11 -0600")
List-id: <zsh-users.zsh.org>
References: <m38rtfutff.fsf@luffy.cx> <8e5ef93a-85b0-4a04-9b3a-01452f29e68f@www.fastmail.com>

 ❦ 12 March 2022 16:45 -06, dana:

>> Is CVE-2021-45444 really fixed in 5.8.1?
>>
>> ...
>>
>> %1 was interpreted while it shouldn't have been?
>>
>> The provided workaround for older versions work fine.
>
> The issue that was fixed in 5.8.1 is that PROMPT_SUBST evaluation was being
> performed in the arguments to e.g. %F. This is not specifically related to
> VCS_Info, but it was the most likely place it could cause trouble. e.g.
> checking out a git branch name containing %F{...} could have resulted in
> arbitrary code execution given a typical VCS_Info configuration. It was
> fixed by simply not performing PROMPT_SUBST evaluation in that context any
> more.

You mean, it was possible to do "%F{$(echo hello)}"?

Thanks for the remaining explanation!
-- 
All generalizations are false, including this one.
		-- Mark Twain

Follow-Ups:
- Re: CVE-2021-45444 really fixed in 5.8.1?
  - From: dana

References:
- CVE-2021-45444 really fixed in 5.8.1?
  - From: Vincent Bernat
- Re: CVE-2021-45444 really fixed in 5.8.1?
  - From: dana

Messages sorted by: Reverse Date, Date, Thread, Author