Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 833252 (CVE-2021-45444) - <app-shells/zsh-5.8.1: Prompt expansion vulnerability
Summary: <app-shells/zsh-5.8.1: Prompt expansion vulnerability
Alias: CVE-2021-45444
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa+]
Depends on: 833417
  Show dependency tree
Reported: 2022-02-12 23:48 UTC by Sam James
Modified: 2024-07-01 06:13 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-02-12 23:48:47 UTC
From the release announcement:
>This is a stable security release with a few bug fixes, including one
>for CVE-2021-45444, a vulnerability in prompt expansion which could be
>exploited through e.g. VCS_Info to execute arbitrary shell commands
>without a user's knowledge. All sites are encouraged to update from
>zsh 5.8. A partial work-around which can be applied within a running
>shell is provided in the source distribution for those who are unable
>to update their shell binaries.

Please remember to file security bugs if you see a CVE or a security issue in release notes, changelog, etc.

Please file a stabilisation bug and have it block this one when ready.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-17 22:46:43 UTC
Please cleanup.
Comment 2 Larry the Git Cow gentoo-dev 2022-02-18 13:43:21 UTC
The bug has been referenced in the following commit(s):

commit 61e46f37256b4148e607ce314859a526aba51ad6
Author:     Lars Wendler <>
AuthorDate: 2022-02-18 13:42:55 +0000
Commit:     Lars Wendler <>
CommitDate: 2022-02-18 13:43:14 +0000

    app-shells/zsh: Security cleanup
    Signed-off-by: Lars Wendler <>

 app-shells/zsh/Manifest                            |   2 -
 .../zsh/files/zsh-5.7.1-ncurses_colors.patch       |  37 ----
 app-shells/zsh/zsh-5.8.ebuild                      | 221 ---------------------
 3 files changed, 260 deletions(-)
Comment 3 Federico Justus Denkena 2022-06-14 18:18:02 UTC
No glsa issued in a few months, only clean versions remain in tree. Suggest to close this as resolved.
Comment 4 Larry the Git Cow gentoo-dev 2022-11-26 21:26:48 UTC
The bug has been referenced in the following commit(s):

commit 4ad14bbfc4f7c829df10ab89d1b8712c00dab896
Author:     Piotr Karbowski <>
AuthorDate: 2022-11-26 21:26:09 +0000
Commit:     Piotr Karbowski <>
CommitDate: 2022-11-26 21:26:45 +0000

    app-shells/zsh: drop old.
    Signed-off-by: Piotr Karbowski <>

 app-shells/zsh/Manifest                            |   2 -
 ....8.1-non_interactive_shell_regression_fix.patch |  76 -------
 .../zsh-5.8.1-performance_regression_fix.patch     | 139 ------------
 app-shells/zsh/zsh-5.8.1-r2.ebuild                 | 222 --------------------
 app-shells/zsh/zsh-5.9.ebuild                      | 233 ---------------------
 5 files changed, 672 deletions(-)
Comment 5 Piotr Karbowski (RETIRED) gentoo-dev 2023-02-13 19:15:06 UTC
Is there anything you'd like maintainer to do regarding this bug?
Comment 6 Piotr Karbowski (RETIRED) gentoo-dev 2023-03-04 12:34:58 UTC
Security team, ping.
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-03-11 04:29:20 UTC
(In reply to Piotr Karbowski from comment #6)
> Security team, ping.

Security team would like to glsa
Comment 8 Larry the Git Cow gentoo-dev 2024-07-01 06:10:15 UTC
The bug has been referenced in the following commit(s):

commit 686a7882903d1121c5ab3393b302ec953ecee99a
Author:     GLSAMaker <>
AuthorDate: 2024-07-01 05:51:00 +0000
Commit:     John Helmert III <>
CommitDate: 2024-07-01 06:06:34 +0000

    [ GLSA 202407-01 ] Zsh: Prompt Expansion Vulnerability
    Signed-off-by: GLSAMaker <>
    Signed-off-by: John Helmert III <>

 glsa-202407-01.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)