From 09a721281a74e381927ef1e40d4d761b1bf0b925 Mon Sep 17 00:00:00 2001 From: jlwwlsqc Date: Tue, 1 Mar 2022 17:16:52 +0800 Subject: [PATCH] fix CVE-2021-45444 --- backport-C02cond-Simplify-N-cond-test.patch | 70 +++++++++++++++ backport-CVE-2021-45444-1.patch | 42 +++++++++ backport-CVE-2021-45444-2.patch | 98 +++++++++++++++++++++ zsh.spec | 11 ++- 4 files changed, 220 insertions(+), 1 deletion(-) create mode 100644 backport-C02cond-Simplify-N-cond-test.patch create mode 100644 backport-CVE-2021-45444-1.patch create mode 100644 backport-CVE-2021-45444-2.patch diff --git a/backport-C02cond-Simplify-N-cond-test.patch b/backport-C02cond-Simplify-N-cond-test.patch new file mode 100644 index 0000000..d8c2407 --- /dev/null +++ b/backport-C02cond-Simplify-N-cond-test.patch @@ -0,0 +1,70 @@ +From 80ddc46e54f6116235e68d3fc039ef775e72d1c5 Mon Sep 17 00:00:00 2001 +From: dana +Date: Wed, 11 Mar 2020 21:17:12 -0500 +Subject: [PATCH] 45470: C02cond: Simplify '-N cond' test + +This fixes an (intermittent?) issue with the test on macOS+APFS, and hopefully +makes it simpler and faster in general +--- + Test/C02cond.ztst | 36 ++++++++++++------------------------ + 1 files changed, 12 insertions(+), 24 deletions(-) + +diff --git a/Test/C02cond.ztst b/Test/C02cond.ztst +index 4b1ec02..5b105b2 100644 +--- a/Test/C02cond.ztst ++++ b/Test/C02cond.ztst +@@ -146,39 +146,27 @@ + + # can't be bothered with -S + +- if [[ ${mtab::="$({mount || /sbin/mount || /usr/sbin/mount} 2>/dev/null)"} = *[(]?*[)] ]]; then +- print -u $ZTST_fd 'This test takes two seconds...' +- else +- unmodified_ls="$(ls -lu $unmodified)" +- print -u $ZTST_fd 'This test takes up to 60 seconds...' +- fi +- sleep 2 ++ print -ru $ZTST_fd 'This test may take two seconds...' + touch $newnewnew + if [[ $OSTYPE == "cygwin" ]]; then + ZTST_skip="[[ -N file ]] not supported on Cygwin" + elif (( isnfs )); then + ZTST_skip="[[ -N file ]] not supported with NFS" +- elif { (( ! $+unmodified_ls )) && +- cat $unmodified && +- { df -k -- ${$(print -r -- "$mtab" | +- awk '/noatime/ {print $1,$3}'):-""} | tr -s ' ' | +- fgrep -- "$(df -k . | tail -1 | tr -s ' ')" } >&/dev/null } || +- { (( $+unmodified_ls )) && SECONDS=0 && +- ! until (( SECONDS >= 58 )); do +- ZTST_hashmark; sleep 2; cat $unmodified +- [[ $unmodified_ls != "$(ls -lu $unmodified)" ]] && break +- done }; then +- ZTST_skip="[[ -N file ]] not supported with noatime file system" ++ elif ! zmodload -F zsh/stat b:zstat 2> /dev/null; then ++ ZTST_skip='[[ -N file ]] not tested; zsh/stat not available' ++ elif ! { sleep 2; touch -a $unmodified 2> /dev/null }; then ++ ZTST_skip='[[ -N file ]] not tested; touch failed' ++ elif [[ "$(zstat +atime $unmodified)" == "$(zstat +mtime $unmodified)" ]]; then ++ ZTST_skip='[[ -N file ]] not supported on this file system' + else + [[ -N $newnewnew && ! -N $unmodified ]] + fi + 0:-N cond +-F:This test can fail on NFS-mounted filesystems as the access and +-F:modification times are not updated separately. The test will fail +-F:on HFS+ (Apple Mac OS X default) filesystems because access times +-F:are not recorded. Also, Linux ext3 filesystems may be mounted +-F:with the noatime option which does not update access times. +-F:Failures in these cases do not indicate a problem in the shell. ++F:This test relies on the file system supporting atime updates. It ++F:should automatically detect whether this is the case, and skip ++F:without failing if it isn't, but it's possible that some ++F:configurations may elude this detection. Please report this ++F:scenario if you encounter it. + + [[ $newnewnew -nt $zlnfs && ! ($unmodified -nt $zlnfs) ]] + 0:-nt cond +-- +1.8.3.1 + diff --git a/backport-CVE-2021-45444-1.patch b/backport-CVE-2021-45444-1.patch new file mode 100644 index 0000000..c43f858 --- /dev/null +++ b/backport-CVE-2021-45444-1.patch @@ -0,0 +1,42 @@ +From c187154f47697cdbf822c2f9d714d570ed4a0fd1 Mon Sep 17 00:00:00 2001 +From: Oliver Kiddle +Date: Wed, 15 Dec 2021 01:56:40 +0100 +Subject: [PATCH] security/41: Don't perform PROMPT_SUBST evaluation on %F/%K + arguments + +Mitigates CVE-2021-45444 +--- + Src/prompt.c | 10 ++++++++++ + 1 files changed, 10 insertions(+) + +diff --git a/Src/prompt.c b/Src/prompt.c +index b65bfb8..91e21c8 100644 +--- a/Src/prompt.c ++++ b/Src/prompt.c +@@ -244,6 +244,12 @@ parsecolorchar(zattr arg, int is_fg) + bv->fm += 2; /* skip over F{ */ + if ((ep = strchr(bv->fm, '}'))) { + char oc = *ep, *col, *coll; ++ int ops = opts[PROMPTSUBST], opb = opts[PROMPTBANG]; ++ int opp = opts[PROMPTPERCENT]; ++ ++ opts[PROMPTPERCENT] = 1; ++ opts[PROMPTSUBST] = opts[PROMPTBANG] = 0; ++ + *ep = '\0'; + /* expand the contents of the argument so you can use + * %v for example */ +@@ -252,6 +258,10 @@ parsecolorchar(zattr arg, int is_fg) + arg = match_colour((const char **)&coll, is_fg, 0); + free(col); + bv->fm = ep; ++ ++ opts[PROMPTSUBST] = ops; ++ opts[PROMPTBANG] = opb; ++ opts[PROMPTPERCENT] = opp; + } else { + arg = match_colour((const char **)&bv->fm, is_fg, 0); + if (*bv->fm != '}') +-- +1.8.3.1 + diff --git a/backport-CVE-2021-45444-2.patch b/backport-CVE-2021-45444-2.patch new file mode 100644 index 0000000..13e54be --- /dev/null +++ b/backport-CVE-2021-45444-2.patch @@ -0,0 +1,98 @@ +From 972887bbe5eb6a00e5f0e73781d6d73bfdcafb93 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc=20Cornell=C3=A0?= +Date: Mon, 24 Jan 2022 09:43:28 +0100 +Subject: [PATCH] security/89: Partially work around CVE-2021-45444 in VCS_Info +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch is a partial, VCS_Info-specific work-around for CVE-2021-45444, +which is mitigated in the shell itself in 5.8.1 and later versions. It is +offered for users who are concerned about an exploit but are unable to update +their binaries to receive the complete fix. + +The patch works around the vulnerability by pre-escaping values substituted +into format strings in VCS_Info. Please note that this may break some user +configurations that rely on those values being un-escaped (which is why it was +not included directly in 5.8.1). It may be possible to limit this breakage by +adjusting exactly which ones are pre-escaped, but of course this may leave +them vulnerable again. + +If applying the patch to the file system is inconvenient or not possible, the +following script can be used to idempotently patch the relevant function +running in memory (and thus must be re-run when the shell is restarted): + + +# Impacted versions go from v5.0.3 to v5.8 (v5.8.1 is the first patched version) +autoload -Uz is-at-least +if is-at-least 5.8.1 || ! is-at-least 5.0.3; then + return +fi + +# Quote necessary $hook_com[] items just before they are used +# in the line "VCS_INFO_hook 'post-backend'" of the VCS_INFO_formats +# function, where is: +# +# base: the full path of the repository's root directory. +# base-name: the name of the repository's root directory. +# branch: the name of the currently checked out branch. +# revision: an identifier of the currently checked out revision. +# subdir: the path of the current directory relative to the +# repository's root directory. +# misc: a string that may contain anything the vcs_info backend wants. +# +# This patch %-quotes these fields previous to their use in vcs_info hooks and +# the zformat call and, eventually, when they get expanded in the prompt. +# It's important to quote these here, and not later after hooks have modified the +# fields, because then we could be quoting % characters from valid prompt sequences, +# like %F{color}, %B, etc. +# +# 32 │ hook_com[subdir]="$(VCS_INFO_reposub ${hook_com[base]})" +# 33 │ hook_com[subdir_orig]="${hook_com[subdir]}" +# 34 │ +# 35 + │ for tmp in base base-name branch misc revision subdir; do +# 36 + │ hook_com[$tmp]="${hook_com[$tmp]//\%/%%}" +# 37 + │ done +# 38 + │ +# 39 │ VCS_INFO_hook 'post-backend' +# +# This is especially important so that no command substitution is performed +# due to malicious input as a consequence of CVE-2021-45444, which affects +# zsh versions from 5.0.3 to 5.8. +# +autoload -Uz +X regexp-replace VCS_INFO_formats + +# We use $tmp here because it's already a local variable in VCS_INFO_formats +typeset PATCH='for tmp (base base-name branch misc revision subdir) hook_com[$tmp]="${hook_com[$tmp]//\%/%%}"' +# Unique string to avoid reapplying the patch if this code gets called twice +typeset PATCH_ID=vcs_info-patch-9b9840f2-91e5-4471-af84-9e9a0dc68c1b +# Only patch the VCS_INFO_formats function if not already patched +if [[ "$functions[VCS_INFO_formats]" != *$PATCH_ID* ]]; then + regexp-replace 'functions[VCS_INFO_formats]' \ + "VCS_INFO_hook 'post-backend'" \ + ': ${PATCH_ID}; ${PATCH}; ${MATCH}' +fi +unset PATCH PATCH_ID + + +--- + Functions/VCS_Info/VCS_INFO_formats | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/Functions/VCS_Info/VCS_INFO_formats b/Functions/VCS_Info/VCS_INFO_formats +index e0e1dc738..4d88e28b6 100644 +--- a/Functions/VCS_Info/VCS_INFO_formats ++++ b/Functions/VCS_Info/VCS_INFO_formats +@@ -32,6 +32,10 @@ hook_com[base-name_orig]="${hook_com[base_name]}" + hook_com[subdir]="$(VCS_INFO_reposub ${hook_com[base]})" + hook_com[subdir_orig]="${hook_com[subdir]}" + ++for tmp in base base-name branch misc revision subdir; do ++ hook_com[$tmp]="${hook_com[$tmp]//\%/%%}" ++done ++ + VCS_INFO_hook 'post-backend' + + ## description (for backend authors): +-- +2.34.1 diff --git a/zsh.spec b/zsh.spec index 259e655..16333fb 100644 --- a/zsh.spec +++ b/zsh.spec @@ -2,7 +2,7 @@ Name: zsh Version: 5.7.1 -Release: 5 +Release: 6 Summary: A shell designed for interactive use License: MIT URL: http://zsh.sourceforge.net @@ -28,6 +28,9 @@ Provides: /bin/zsh Patch0000: 0225-44345-fix-wordcode-traversal-where-without-a-followi.patch Patch0001: CVE-2019-20044.patch +Patch0002: backport-CVE-2021-45444-1.patch +Patch0003: backport-CVE-2021-45444-2.patch +Patch0004: backport-C02cond-Simplify-N-cond-test.patch %description The zsh is a shell designed for interactive use, and it is also a powerful scripting language. Many of @@ -131,6 +134,12 @@ fi %{_infodir}/* %changelog +* Tue Mar 1 2022 wangjie - 5.7.1-6 +- Type: CVE +- ID: CVE-2021-45444 +- SUG: NA +- DESC: fix CVE-2021-45444 + * Wed Jun 24 2020 xuping - 5.7.1-5 - Type:cves - ID:CVE-2019-20044