833252 – (CVE-2021-45444) <app-shells/zsh-5.8.1: Prompt expansion vulnerability

Bug 833252 (CVE-2021-45444) - <app-shells/zsh-5.8.1: Prompt expansion vulnerability

Summary: <app-shells/zsh-5.8.1: Prompt expansion vulnerability

Status:	IN_PROGRESS

Alias:	CVE-2021-45444

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://www.zsh.org/mla/announce/msg0...
Whiteboard:	B2 [glsa?]
Keywords:

Depends on:	833417
Blocks:
	Show dependency tree

Reported:	2022-02-12 23:48 UTC by Sam James
Modified:	2023-03-11 04:29 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2022-02-12 23:48:47 UTC

From the release announcement:
>This is a stable security release with a few bug fixes, including one
>for CVE-2021-45444, a vulnerability in prompt expansion which could be
>exploited through e.g. VCS_Info to execute arbitrary shell commands
>without a user's knowledge. All sites are encouraged to update from
>zsh 5.8. A partial work-around which can be applied within a running
>shell is provided in the source distribution for those who are unable
>to update their shell binaries.

Please remember to file security bugs if you see a CVE or a security issue in release notes, changelog, etc.

Please file a stabilisation bug and have it block this one when ready.

Comment 1 John Helmert III archtester

2022-02-17 22:46:43 UTC

Please cleanup.

Comment 2 Larry the Git Cow gentoo-dev

2022-02-18 13:43:21 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=61e46f37256b4148e607ce314859a526aba51ad6

commit 61e46f37256b4148e607ce314859a526aba51ad6
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2022-02-18 13:42:55 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2022-02-18 13:43:14 +0000

    app-shells/zsh: Security cleanup
    
    Bug: https://bugs.gentoo.org/833252
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 app-shells/zsh/Manifest                            |   2 -
 .../zsh/files/zsh-5.7.1-ncurses_colors.patch       |  37 ----
 app-shells/zsh/zsh-5.8.ebuild                      | 221 ---------------------
 3 files changed, 260 deletions(-)

Comment 3 Federico Justus Denkena 2022-06-14 18:18:02 UTC

No glsa issued in a few months, only clean versions remain in tree. Suggest to close this as resolved.

Comment 4 Larry the Git Cow gentoo-dev

2022-11-26 21:26:48 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4ad14bbfc4f7c829df10ab89d1b8712c00dab896

commit 4ad14bbfc4f7c829df10ab89d1b8712c00dab896
Author:     Piotr Karbowski <slashbeast@gentoo.org>
AuthorDate: 2022-11-26 21:26:09 +0000
Commit:     Piotr Karbowski <slashbeast@gentoo.org>
CommitDate: 2022-11-26 21:26:45 +0000

    app-shells/zsh: drop old.
    
    Bug: https://bugs.gentoo.org/833252
    Signed-off-by: Piotr Karbowski <slashbeast@gentoo.org>

 app-shells/zsh/Manifest                            |   2 -
 ....8.1-non_interactive_shell_regression_fix.patch |  76 -------
 .../zsh-5.8.1-performance_regression_fix.patch     | 139 ------------
 app-shells/zsh/zsh-5.8.1-r2.ebuild                 | 222 --------------------
 app-shells/zsh/zsh-5.9.ebuild                      | 233 ---------------------
 5 files changed, 672 deletions(-)

Comment 5 Piotr Karbowski (RETIRED) gentoo-dev

2023-02-13 19:15:06 UTC

Is there anything you'd like maintainer to do regarding this bug?

Comment 6 Piotr Karbowski (RETIRED) gentoo-dev

2023-03-04 12:34:58 UTC

Security team, ping.

Comment 7 John Helmert III archtester

2023-03-11 04:29:20 UTC

(In reply to Piotr Karbowski from comment #6)
> Security team, ping.

Security team would like to glsa