From the release announcement: >This is a stable security release with a few bug fixes, including one >for CVE-2021-45444, a vulnerability in prompt expansion which could be >exploited through e.g. VCS_Info to execute arbitrary shell commands >without a user's knowledge. All sites are encouraged to update from >zsh 5.8. A partial work-around which can be applied within a running >shell is provided in the source distribution for those who are unable >to update their shell binaries. Please remember to file security bugs if you see a CVE or a security issue in release notes, changelog, etc. Please file a stabilisation bug and have it block this one when ready.
Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=61e46f37256b4148e607ce314859a526aba51ad6 commit 61e46f37256b4148e607ce314859a526aba51ad6 Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2022-02-18 13:42:55 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2022-02-18 13:43:14 +0000 app-shells/zsh: Security cleanup Bug: https://bugs.gentoo.org/833252 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> app-shells/zsh/Manifest | 2 - .../zsh/files/zsh-5.7.1-ncurses_colors.patch | 37 ---- app-shells/zsh/zsh-5.8.ebuild | 221 --------------------- 3 files changed, 260 deletions(-)
No glsa issued in a few months, only clean versions remain in tree. Suggest to close this as resolved.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4ad14bbfc4f7c829df10ab89d1b8712c00dab896 commit 4ad14bbfc4f7c829df10ab89d1b8712c00dab896 Author: Piotr Karbowski <slashbeast@gentoo.org> AuthorDate: 2022-11-26 21:26:09 +0000 Commit: Piotr Karbowski <slashbeast@gentoo.org> CommitDate: 2022-11-26 21:26:45 +0000 app-shells/zsh: drop old. Bug: https://bugs.gentoo.org/833252 Signed-off-by: Piotr Karbowski <slashbeast@gentoo.org> app-shells/zsh/Manifest | 2 - ....8.1-non_interactive_shell_regression_fix.patch | 76 ------- .../zsh-5.8.1-performance_regression_fix.patch | 139 ------------ app-shells/zsh/zsh-5.8.1-r2.ebuild | 222 -------------------- app-shells/zsh/zsh-5.9.ebuild | 233 --------------------- 5 files changed, 672 deletions(-)
Is there anything you'd like maintainer to do regarding this bug?
Security team, ping.
(In reply to Piotr Karbowski from comment #6) > Security team, ping. Security team would like to glsa
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=686a7882903d1121c5ab3393b302ec953ecee99a commit 686a7882903d1121c5ab3393b302ec953ecee99a Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-07-01 05:51:00 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2024-07-01 06:06:34 +0000 [ GLSA 202407-01 ] Zsh: Prompt Expansion Vulnerability Bug: https://bugs.gentoo.org/833252 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202407-01.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+)