4 files changed, 13 insertions, 290 deletions
diff --git a/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_1.patch b/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_1.patch
deleted file mode 100644
index fb8fa3427..000000000
--- a/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_1.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-Origin: commit c187154f47697cdbf822c2f9d714d570ed4a0fd1
-From: Oliver Kiddle <opk@zsh.org>
-Date: Wed, 15 Dec 2021 01:56:40 +0100
-Subject: [PATCH 1/9] security/41: Don't perform PROMPT_SUBST evaluation on
- %F/%K arguments
-Mitigates CVE-2021-45444
-https://salsa.debian.org/debian/zsh/-/raw/debian/5.8-6+deb11u1/debian/patches/cherry-pick-CVE-2021-45444_1.patch?inline=false
-Upstream-Status: Backport
-CVE: CVE-2021-45444
-Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
---
- ChangeLog    |  5 +++++
- Src/prompt.c | 10 ++++++++++
- 2 files changed, 15 insertions(+)
-diff --git a/ChangeLog b/ChangeLog
-index 8d7dfc169..eb248ec06 100644
--- a/ChangeLog
-+++ b/ChangeLog
-@@ -1,3 +1,8 @@
-+2022-01-27  dana  <dana@dana.is>
-+
-+       * Oliver Kiddle: security/41: Src/prompt.c: Prevent recursive
-+       PROMPT_SUBST
-+
- 2020-02-14  dana  <dana@dana.is>
- 
-        * unposted: Config/version.mk: Update for 5.8
-diff --git a/Src/prompt.c b/Src/prompt.c
-index b65bfb86b..91e21c8e9 100644
--- a/Src/prompt.c
-+++ b/Src/prompt.c
-@@ -244,6 +244,12 @@ parsecolorchar(zattr arg, int is_fg)
-        bv->fm += 2; /* skip over F{ */
-        if ((ep = strchr(bv->fm, '}'))) {
-            char oc = *ep, *col, *coll;
-+           int ops = opts[PROMPTSUBST], opb = opts[PROMPTBANG];
-+           int opp = opts[PROMPTPERCENT];
-+
-+           opts[PROMPTPERCENT] = 1;
-+           opts[PROMPTSUBST] = opts[PROMPTBANG] = 0;
-+
-            *ep = '\0';
-            /* expand the contents of the argument so you can use
-             * %v for example */
-@@ -252,6 +258,10 @@ parsecolorchar(zattr arg, int is_fg)
-            arg = match_colour((const char **)&coll, is_fg, 0);
-            free(col);
-            bv->fm = ep;
-+
-+           opts[PROMPTSUBST] = ops;
-+           opts[PROMPTBANG] = opb;
-+           opts[PROMPTPERCENT] = opp;
-        } else {
-            arg = match_colour((const char **)&bv->fm, is_fg, 0);
-            if (*bv->fm != '}')
-- 
-2.34.1
diff --git a/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_2.patch b/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_2.patch
deleted file mode 100644
index e5b6d7cdc..000000000
--- a/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_2.patch
+++ /dev/null
@@ -1,140 +0,0 @@
-From 8a4d65ef6d0023ab9b238529410afb433553d2fa Mon Sep 17 00:00:00 2001
-From: Marc Cornellà <hello@mcornella.com>
-Date: Mon, 24 Jan 2022 09:43:28 +0100
-Subject: [PATCH 2/9] security/89: Add patch which can optionally be used to
- work around CVE-2021-45444 in VCS_Info
-Comment: Updated to use the same file name without blanks as actually
- used in the final 5.8.1 release.
-https://salsa.debian.org/debian/zsh/-/blob/debian/5.8-6+deb11u1/debian/patches/cherry-pick-CVE-2021-45444_2.patch
-Upstream-Status: Backport
-CVE: CVE-2021-45444
-Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
---
- ChangeLog                                    |  5 +
- Etc/CVE-2021-45444-VCS_Info-workaround.patch | 98 ++++++++++++++++++++
- 2 files changed, 103 insertions(+)
- create mode 100644 Etc/CVE-2021-45444-VCS_Info-workaround.patch
-diff --git a/ChangeLog b/ChangeLog
-index eb248ec06..9a05a09e1 100644
--- a/ChangeLog
-+++ b/ChangeLog
-@@ -1,5 +1,10 @@
- 2022-01-27  dana  <dana@dana.is>
- 
-+       * Marc Cornellà: security/89:
-+       Etc/CVE-2021-45444-VCS_Info-workaround.patch: Add patch which
-+       can optionally be used to work around recursive PROMPT_SUBST
-+       issue in VCS_Info
-+
-        * Oliver Kiddle: security/41: Src/prompt.c: Prevent recursive
-        PROMPT_SUBST
- 
-diff --git a/Etc/CVE-2021-45444-VCS_Info-workaround.patch b/Etc/CVE-2021-45444-VCS_Info-workaround.patch
-new file mode 100644
-index 000000000..13e54be77
--- /dev/null
-+++ b/Etc/CVE-2021-45444-VCS_Info-workaround.patch
-@@ -0,0 +1,98 @@
-+From 972887bbe5eb6a00e5f0e73781d6d73bfdcafb93 Mon Sep 17 00:00:00 2001
-+From: =?UTF-8?q?Marc=20Cornell=C3=A0?= <hello@mcornella.com>
-+Date: Mon, 24 Jan 2022 09:43:28 +0100
-+Subject: [PATCH] security/89: Partially work around CVE-2021-45444 in VCS_Info
-+MIME-Version: 1.0
-+Content-Type: text/plain; charset=UTF-8
-+Content-Transfer-Encoding: 8bit
-+
-+This patch is a partial, VCS_Info-specific work-around for CVE-2021-45444,
-+which is mitigated in the shell itself in 5.8.1 and later versions. It is
-+offered for users who are concerned about an exploit but are unable to update
-+their binaries to receive the complete fix.
-+
-+The patch works around the vulnerability by pre-escaping values substituted
-+into format strings in VCS_Info. Please note that this may break some user
-+configurations that rely on those values being un-escaped (which is why it was
-+not included directly in 5.8.1). It may be possible to limit this breakage by
-+adjusting exactly which ones are pre-escaped, but of course this may leave
-+them vulnerable again.
-+
-+If applying the patch to the file system is inconvenient or not possible, the
-+following script can be used to idempotently patch the relevant function
-+running in memory (and thus must be re-run when the shell is restarted):
-+
-+
-+# Impacted versions go from v5.0.3 to v5.8 (v5.8.1 is the first patched version)
-+autoload -Uz is-at-least
-+if is-at-least 5.8.1 || ! is-at-least 5.0.3; then
-+  return
-+fi
-+
-+# Quote necessary $hook_com[<field>] items just before they are used
-+# in the line "VCS_INFO_hook 'post-backend'" of the VCS_INFO_formats
-+# function, where <field> is:
-+#
-+#   base:       the full path of the repository's root directory.
-+#   base-name:  the name of the repository's root directory.
-+#   branch:     the name of the currently checked out branch.
-+#   revision:   an identifier of the currently checked out revision.
-+#   subdir:     the path of the current directory relative to the
-+#               repository's root directory.
-+#   misc:       a string that may contain anything the vcs_info backend wants.
-+#
-+# This patch %-quotes these fields previous to their use in vcs_info hooks and
-+# the zformat call and, eventually, when they get expanded in the prompt.
-+# It's important to quote these here, and not later after hooks have modified the
-+# fields, because then we could be quoting % characters from valid prompt sequences,
-+# like %F{color}, %B, etc.
-+#
-+#  32   │ hook_com[subdir]="$(VCS_INFO_reposub ${hook_com[base]})"
-+#  33   │ hook_com[subdir_orig]="${hook_com[subdir]}"
-+#  34   │
-+#  35 + │ for tmp in base base-name branch misc revision subdir; do
-+#  36 + │     hook_com[$tmp]="${hook_com[$tmp]//\%/%%}"
-+#  37 + │ done
-+#  38 + │
-+#  39   │ VCS_INFO_hook 'post-backend'
-+#
-+# This is especially important so that no command substitution is performed
-+# due to malicious input as a consequence of CVE-2021-45444, which affects
-+# zsh versions from 5.0.3 to 5.8.
-+#
-+autoload -Uz +X regexp-replace VCS_INFO_formats
-+
-+# We use $tmp here because it's already a local variable in VCS_INFO_formats
-+typeset PATCH='for tmp (base base-name branch misc revision subdir) hook_com[$tmp]="${hook_com[$tmp]//\%/%%}"'
-+# Unique string to avoid reapplying the patch if this code gets called twice
-+typeset PATCH_ID=vcs_info-patch-9b9840f2-91e5-4471-af84-9e9a0dc68c1b
-+# Only patch the VCS_INFO_formats function if not already patched
-+if [[ "$functions[VCS_INFO_formats]" != *$PATCH_ID* ]]; then
-+  regexp-replace 'functions[VCS_INFO_formats]' \
-+    "VCS_INFO_hook 'post-backend'" \
-+    ': ${PATCH_ID}; ${PATCH}; ${MATCH}'
-+fi
-+unset PATCH PATCH_ID
-+
-+
-+---
-+ Functions/VCS_Info/VCS_INFO_formats | 4 ++++
-+ 1 file changed, 4 insertions(+)
-+
-+diff --git a/Functions/VCS_Info/VCS_INFO_formats b/Functions/VCS_Info/VCS_INFO_formats
-+index e0e1dc738..4d88e28b6 100644
-+--- a/Functions/VCS_Info/VCS_INFO_formats
-++++ b/Functions/VCS_Info/VCS_INFO_formats
-+@@ -32,6 +32,10 @@ hook_com[base-name_orig]="${hook_com[base_name]}"
-+ hook_com[subdir]="$(VCS_INFO_reposub ${hook_com[base]})"
-+ hook_com[subdir_orig]="${hook_com[subdir]}"
-+ 
-++for tmp in base base-name branch misc revision subdir; do
-++    hook_com[$tmp]="${hook_com[$tmp]//\%/%%}"
-++done
-++
-+ VCS_INFO_hook 'post-backend'
-+ 
-+ ## description (for backend authors):
-+-- 
-+2.34.1
-- 
-2.34.1
diff --git a/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_3.patch b/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_3.patch
deleted file mode 100644
index adfc00ae5..000000000
--- a/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_3.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-From 4abf2fc193fc2f3e680deecbf81289a7b02e245b Mon Sep 17 00:00:00 2001
-From: dana <dana@dana.is>
-Date: Tue, 21 Dec 2021 13:13:33 -0600
-Subject: [PATCH 3/9] CVE-2021-45444: Update NEWS/README
-https://salsa.debian.org/debian/zsh/-/blob/debian/5.8-6+deb11u1/debian/patches/cherry-pick-CVE-2021-45444_3.patch
-Upstream-Status: Backport
-CVE: CVE-2021-45444
-Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
---
- ChangeLog |  2 ++
- NEWS      | 20 ++++++++++++++++++++
- README    |  6 ++++++
- 3 files changed, 28 insertions(+)
-diff --git a/ChangeLog b/ChangeLog
-index 9a05a09e1..93b0bc337 100644
--- a/ChangeLog
-+++ b/ChangeLog
-@@ -1,5 +1,7 @@
- 2022-01-27  dana  <dana@dana.is>
- 
-+       * CVE-2021-45444: NEWS, README: Document preceding two changes
-+
-        * Marc Cornellà: security/89:
-        Etc/CVE-2021-45444-VCS_Info-workaround.patch: Add patch which
-        can optionally be used to work around recursive PROMPT_SUBST
-diff --git a/NEWS b/NEWS
-index 964e1633f..d34b3f79e 100644
--- a/NEWS
-+++ b/NEWS
-@@ -4,6 +4,26 @@ CHANGES FROM PREVIOUS VERSIONS OF ZSH
- 
- Note also the list of incompatibilities in the README file.
- 
-+Changes since 5.8
-+-----------------
-+
-+CVE-2021-45444: Some prompt expansion sequences, such as %F, support
-+'arguments' which are themselves expanded in case they contain colour
-+values, etc. This additional expansion would trigger PROMPT_SUBST
-+evaluation, if enabled. This could be abused to execute code the user
-+didn't expect. e.g., given a certain prompt configuration, an attacker
-+could trick a user into executing arbitrary code by having them check
-+out a Git branch with a specially crafted name.
-+
-+This is fixed in the shell itself by no longer performing PROMPT_SUBST
-+evaluation on these prompt-expansion arguments.
-+
-+Users who are concerned about an exploit but unable to update their
-+binaries may apply the partial work-around described in the file
-+'Etc/CVE-2021-45444 VCS_Info workaround.patch' included with the shell
-+source. [ Reported by RyotaK <security@ryotak.me>. Additional thanks to
-+Marc Cornellà <hello@mcornella.com>. ]
-+
- Changes since 5.7.1-test-3
- --------------------------
- 
-diff --git a/README b/README
-index 7f1dd5f92..c9e994ab3 100644
--- a/README
-+++ b/README
-@@ -31,6 +31,12 @@ Zsh is a shell with lots of features.  For a list of some of these, see the
- file FEATURES, and for the latest changes see NEWS.  For more
- details, see the documentation.
- 
-+Incompatibilities since 5.8
-+---------------------------
-+
-+PROMPT_SUBST expansion is no longer performed on arguments to prompt-
-+expansion sequences such as %F.
-+
- Incompatibilities since 5.7.1
- -----------------------------
- 
-- 
-2.34.1
diff --git a/meta-oe/recipes-shells/zsh/zsh_5.8.bb b/meta-oe/recipes-shells/zsh/zsh_5.9.bb
index 7602ff9f6..7940970e4 100644
--- a/meta-oe/recipes-shells/zsh/zsh_5.8.bb
+++ b/meta-oe/recipes-shells/zsh/zsh_5.9.bb
@@ -10,12 +10,8 @@ LIC_FILES_CHKSUM = "file://LICENCE;md5=1a4c4cda3e8096d2fd483ff2f4514fec"
 DEPENDS = "ncurses bison-native libcap libpcre gdbm groff-native"
-SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}/5.8/${BP}.tar.xz \
+SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}/${PV}/${BP}.tar.xz"
-        file://CVE-2021-45444_1.patch \
+SRC_URI[sha256sum] = "9b8d1ecedd5b5e81fbf1918e876752a7dd948e05c1a0dba10ab863842d45acd5"
-        file://CVE-2021-45444_2.patch \
-        file://CVE-2021-45444_3.patch \
-        "
-SRC_URI[sha256sum] = "dcc4b54cc5565670a65581760261c163d720991f0d06486da61f8d839b52de27"
 inherit autotools-brokensep gettext update-alternatives manpages
@@ -50,13 +46,17 @@ do_configure () {
    oe_runconf
 }
+do_install:append() {
+    sed -i -e '1!b; s:^#!.*[ /]zsh:#!${bindir}/zsh:; s#/usr/local/bin#${bindir}#;' \
+        `find ${D}/usr/share/zsh/${PV}/functions -type f`
+}
 pkg_postinst:${PN} () {
    touch $D${sysconfdir}/shells
-    grep -q "bin/zsh" $D${sysconfdir}/shells || echo /bin/zsh >> $D${sysconfdir}/shells
+    for i in zsh sh
-    grep -q "bin/sh" $D${sysconfdir}/shells || echo /bin/sh >> $D${sysconfdir}/shells
+    do
+        grep -q "bin/$i" $D${sysconfdir}/shells || \
+            printf >> $D${sysconfdir}/shells \
+            "${bindir}/$i\n${@bb.utils.contains('DISTRO_FEATURES', 'usrmerge', '/bin/$i\n', '', d)}"
+    done
 }
-# work around QA failures with usrmerge installing zsh in /usr/bin/zsh instead of /bin/zsh
-# ERROR: QA Issue: /usr/share/zsh/5.8/functions/zed contained in package zsh requires /bin/zsh, but no providers found in RDEPENDS:zsh? [file-rdeps]
-# like bash does since https://git.openembedded.org/openembedded-core/commit/?id=4759408677a4e60c5fa7131afcb5bc184cf2f90a
-RPROVIDES:${PN} += "${@bb.utils.contains('DISTRO_FEATURES', 'usrmerge', '/bin/zsh', '', d)}"

diff --git a/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_1.patch b/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_1.patch deleted file mode 100644 index fb8fa3427..000000000 --- a/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_1.patch +++ /dev/null
@@ -1,60 +0,0 @@
1	Origin: commit c187154f47697cdbf822c2f9d714d570ed4a0fd1
2	From: Oliver Kiddle <opk@zsh.org>
3	Date: Wed, 15 Dec 2021 01:56:40 +0100
4	Subject: [PATCH 1/9] security/41: Don't perform PROMPT_SUBST evaluation on
5	%F/%K arguments
6
7	Mitigates CVE-2021-45444
8
9	https://salsa.debian.org/debian/zsh/-/raw/debian/5.8-6+deb11u1/debian/patches/cherry-pick-CVE-2021-45444_1.patch?inline=false
10	Upstream-Status: Backport
11	CVE: CVE-2021-45444
12	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
13	---
14	ChangeLog \| 5 +++++
15	Src/prompt.c \| 10 ++++++++++
16	2 files changed, 15 insertions(+)
17
18	diff --git a/ChangeLog b/ChangeLog
19	index 8d7dfc169..eb248ec06 100644
20	--- a/ChangeLog
21	+++ b/ChangeLog
22	@@ -1,3 +1,8 @@
23	+2022-01-27 dana <dana@dana.is>
24	+
25	+ * Oliver Kiddle: security/41: Src/prompt.c: Prevent recursive
26	+ PROMPT_SUBST
27	+
28	2020-02-14 dana <dana@dana.is>
29
30	* unposted: Config/version.mk: Update for 5.8
31	diff --git a/Src/prompt.c b/Src/prompt.c
32	index b65bfb86b..91e21c8e9 100644
33	--- a/Src/prompt.c
34	+++ b/Src/prompt.c
35	@@ -244,6 +244,12 @@ parsecolorchar(zattr arg, int is_fg)
36	bv->fm += 2; /* skip over F{ */
37	if ((ep = strchr(bv->fm, '}'))) {
38	char oc = ep, col, *coll;
39	+ int ops = opts[PROMPTSUBST], opb = opts[PROMPTBANG];
40	+ int opp = opts[PROMPTPERCENT];
41	+
42	+ opts[PROMPTPERCENT] = 1;
43	+ opts[PROMPTSUBST] = opts[PROMPTBANG] = 0;
44	+
45	*ep = '\0';
46	/* expand the contents of the argument so you can use
47	* %v for example */
48	@@ -252,6 +258,10 @@ parsecolorchar(zattr arg, int is_fg)
49	arg = match_colour((const char **)&coll, is_fg, 0);
50	free(col);
51	bv->fm = ep;
52	+
53	+ opts[PROMPTSUBST] = ops;
54	+ opts[PROMPTBANG] = opb;
55	+ opts[PROMPTPERCENT] = opp;
56	} else {
57	arg = match_colour((const char **)&bv->fm, is_fg, 0);
58	if (*bv->fm != '}')
59	--
60	2.34.1


diff --git a/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_2.patch b/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_2.patch deleted file mode 100644 index e5b6d7cdc..000000000 --- a/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_2.patch +++ /dev/null
@@ -1,140 +0,0 @@
1	From 8a4d65ef6d0023ab9b238529410afb433553d2fa Mon Sep 17 00:00:00 2001
2	From: Marc Cornellà <hello@mcornella.com>
3	Date: Mon, 24 Jan 2022 09:43:28 +0100
4	Subject: [PATCH 2/9] security/89: Add patch which can optionally be used to
5	work around CVE-2021-45444 in VCS_Info
6	Comment: Updated to use the same file name without blanks as actually
7	used in the final 5.8.1 release.
8
9
10	https://salsa.debian.org/debian/zsh/-/blob/debian/5.8-6+deb11u1/debian/patches/cherry-pick-CVE-2021-45444_2.patch
11	Upstream-Status: Backport
12	CVE: CVE-2021-45444
13	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
14	---
15	ChangeLog \| 5 +
16	Etc/CVE-2021-45444-VCS_Info-workaround.patch \| 98 ++++++++++++++++++++
17	2 files changed, 103 insertions(+)
18	create mode 100644 Etc/CVE-2021-45444-VCS_Info-workaround.patch
19
20	diff --git a/ChangeLog b/ChangeLog
21	index eb248ec06..9a05a09e1 100644
22	--- a/ChangeLog
23	+++ b/ChangeLog
24	@@ -1,5 +1,10 @@
25	2022-01-27 dana <dana@dana.is>
26
27	+ * Marc Cornellà: security/89:
28	+ Etc/CVE-2021-45444-VCS_Info-workaround.patch: Add patch which
29	+ can optionally be used to work around recursive PROMPT_SUBST
30	+ issue in VCS_Info
31	+
32	* Oliver Kiddle: security/41: Src/prompt.c: Prevent recursive
33	PROMPT_SUBST
34
35	diff --git a/Etc/CVE-2021-45444-VCS_Info-workaround.patch b/Etc/CVE-2021-45444-VCS_Info-workaround.patch
36	new file mode 100644
37	index 000000000..13e54be77
38	--- /dev/null
39	+++ b/Etc/CVE-2021-45444-VCS_Info-workaround.patch
40	@@ -0,0 +1,98 @@
41	+From 972887bbe5eb6a00e5f0e73781d6d73bfdcafb93 Mon Sep 17 00:00:00 2001
42	+From: =?UTF-8?q?Marc=20Cornell=C3=A0?= <hello@mcornella.com>
43	+Date: Mon, 24 Jan 2022 09:43:28 +0100
44	+Subject: [PATCH] security/89: Partially work around CVE-2021-45444 in VCS_Info
45	+MIME-Version: 1.0
46	+Content-Type: text/plain; charset=UTF-8
47	+Content-Transfer-Encoding: 8bit
48	+
49	+This patch is a partial, VCS_Info-specific work-around for CVE-2021-45444,
50	+which is mitigated in the shell itself in 5.8.1 and later versions. It is
51	+offered for users who are concerned about an exploit but are unable to update
52	+their binaries to receive the complete fix.
53	+
54	+The patch works around the vulnerability by pre-escaping values substituted
55	+into format strings in VCS_Info. Please note that this may break some user
56	+configurations that rely on those values being un-escaped (which is why it was
57	+not included directly in 5.8.1). It may be possible to limit this breakage by
58	+adjusting exactly which ones are pre-escaped, but of course this may leave
59	+them vulnerable again.
60	+
61	+If applying the patch to the file system is inconvenient or not possible, the
62	+following script can be used to idempotently patch the relevant function
63	+running in memory (and thus must be re-run when the shell is restarted):
64	+
65	+
66	+# Impacted versions go from v5.0.3 to v5.8 (v5.8.1 is the first patched version)
67	+autoload -Uz is-at-least
68	+if is-at-least 5.8.1 \|\| ! is-at-least 5.0.3; then
69	+ return
70	+fi
71	+
72	+# Quote necessary $hook_com[<field>] items just before they are used
73	+# in the line "VCS_INFO_hook 'post-backend'" of the VCS_INFO_formats
74	+# function, where <field> is:
75	+#
76	+# base: the full path of the repository's root directory.
77	+# base-name: the name of the repository's root directory.
78	+# branch: the name of the currently checked out branch.
79	+# revision: an identifier of the currently checked out revision.
80	+# subdir: the path of the current directory relative to the
81	+# repository's root directory.
82	+# misc: a string that may contain anything the vcs_info backend wants.
83	+#
84	+# This patch %-quotes these fields previous to their use in vcs_info hooks and
85	+# the zformat call and, eventually, when they get expanded in the prompt.
86	+# It's important to quote these here, and not later after hooks have modified the
87	+# fields, because then we could be quoting % characters from valid prompt sequences,
88	+# like %F{color}, %B, etc.
89	+#
90	+# 32 │ hook_com[subdir]="$(VCS_INFO_reposub ${hook_com[base]})"
91	+# 33 │ hook_com[subdir_orig]="${hook_com[subdir]}"
92	+# 34 │
93	+# 35 + │ for tmp in base base-name branch misc revision subdir; do
94	+# 36 + │ hook_com[$tmp]="${hook_com[$tmp]//\%/%%}"
95	+# 37 + │ done
96	+# 38 + │
97	+# 39 │ VCS_INFO_hook 'post-backend'
98	+#
99	+# This is especially important so that no command substitution is performed
100	+# due to malicious input as a consequence of CVE-2021-45444, which affects
101	+# zsh versions from 5.0.3 to 5.8.
102	+#
103	+autoload -Uz +X regexp-replace VCS_INFO_formats
104	+
105	+# We use $tmp here because it's already a local variable in VCS_INFO_formats
106	+typeset PATCH='for tmp (base base-name branch misc revision subdir) hook_com[$tmp]="${hook_com[$tmp]//\%/%%}"'
107	+# Unique string to avoid reapplying the patch if this code gets called twice
108	+typeset PATCH_ID=vcs_info-patch-9b9840f2-91e5-4471-af84-9e9a0dc68c1b
109	+# Only patch the VCS_INFO_formats function if not already patched
110	+if [[ "$functions[VCS_INFO_formats]" != $PATCH_ID ]]; then
111	+ regexp-replace 'functions[VCS_INFO_formats]' \
112	+ "VCS_INFO_hook 'post-backend'" \
113	+ ': ${PATCH_ID}; ${PATCH}; ${MATCH}'
114	+fi
115	+unset PATCH PATCH_ID
116	+
117	+
118	+---
119	+ Functions/VCS_Info/VCS_INFO_formats \| 4 ++++
120	+ 1 file changed, 4 insertions(+)
121	+
122	+diff --git a/Functions/VCS_Info/VCS_INFO_formats b/Functions/VCS_Info/VCS_INFO_formats
123	+index e0e1dc738..4d88e28b6 100644
124	+--- a/Functions/VCS_Info/VCS_INFO_formats
125	++++ b/Functions/VCS_Info/VCS_INFO_formats
126	+@@ -32,6 +32,10 @@ hook_com[base-name_orig]="${hook_com[base_name]}"
127	+ hook_com[subdir]="$(VCS_INFO_reposub ${hook_com[base]})"
128	+ hook_com[subdir_orig]="${hook_com[subdir]}"
129	+
130	++for tmp in base base-name branch misc revision subdir; do
131	++ hook_com[$tmp]="${hook_com[$tmp]//\%/%%}"
132	++done
133	++
134	+ VCS_INFO_hook 'post-backend'
135	+
136	+ ## description (for backend authors):
137	+--
138	+2.34.1
139	--
140	2.34.1


diff --git a/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_3.patch b/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_3.patch deleted file mode 100644 index adfc00ae5..000000000 --- a/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_3.patch +++ /dev/null
@@ -1,77 +0,0 @@
1	From 4abf2fc193fc2f3e680deecbf81289a7b02e245b Mon Sep 17 00:00:00 2001
2	From: dana <dana@dana.is>
3	Date: Tue, 21 Dec 2021 13:13:33 -0600
4	Subject: [PATCH 3/9] CVE-2021-45444: Update NEWS/README
5
6	https://salsa.debian.org/debian/zsh/-/blob/debian/5.8-6+deb11u1/debian/patches/cherry-pick-CVE-2021-45444_3.patch
7	Upstream-Status: Backport
8	CVE: CVE-2021-45444
9	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
10	---
11	ChangeLog \| 2 ++
12	NEWS \| 20 ++++++++++++++++++++
13	README \| 6 ++++++
14	3 files changed, 28 insertions(+)
15
16	diff --git a/ChangeLog b/ChangeLog
17	index 9a05a09e1..93b0bc337 100644
18	--- a/ChangeLog
19	+++ b/ChangeLog
20	@@ -1,5 +1,7 @@
21	2022-01-27 dana <dana@dana.is>
22
23	+ * CVE-2021-45444: NEWS, README: Document preceding two changes
24	+
25	* Marc Cornellà: security/89:
26	Etc/CVE-2021-45444-VCS_Info-workaround.patch: Add patch which
27	can optionally be used to work around recursive PROMPT_SUBST
28	diff --git a/NEWS b/NEWS
29	index 964e1633f..d34b3f79e 100644
30	--- a/NEWS
31	+++ b/NEWS
32	@@ -4,6 +4,26 @@ CHANGES FROM PREVIOUS VERSIONS OF ZSH
33
34	Note also the list of incompatibilities in the README file.
35
36	+Changes since 5.8
37	+-----------------
38	+
39	+CVE-2021-45444: Some prompt expansion sequences, such as %F, support
40	+'arguments' which are themselves expanded in case they contain colour
41	+values, etc. This additional expansion would trigger PROMPT_SUBST
42	+evaluation, if enabled. This could be abused to execute code the user
43	+didn't expect. e.g., given a certain prompt configuration, an attacker
44	+could trick a user into executing arbitrary code by having them check
45	+out a Git branch with a specially crafted name.
46	+
47	+This is fixed in the shell itself by no longer performing PROMPT_SUBST
48	+evaluation on these prompt-expansion arguments.
49	+
50	+Users who are concerned about an exploit but unable to update their
51	+binaries may apply the partial work-around described in the file
52	+'Etc/CVE-2021-45444 VCS_Info workaround.patch' included with the shell
53	+source. [ Reported by RyotaK <security@ryotak.me>. Additional thanks to
54	+Marc Cornellà <hello@mcornella.com>. ]
55	+
56	Changes since 5.7.1-test-3
57	--------------------------
58
59	diff --git a/README b/README
60	index 7f1dd5f92..c9e994ab3 100644
61	--- a/README
62	+++ b/README
63	@@ -31,6 +31,12 @@ Zsh is a shell with lots of features. For a list of some of these, see the
64	file FEATURES, and for the latest changes see NEWS. For more
65	details, see the documentation.
66
67	+Incompatibilities since 5.8
68	+---------------------------
69	+
70	+PROMPT_SUBST expansion is no longer performed on arguments to prompt-
71	+expansion sequences such as %F.
72	+
73	Incompatibilities since 5.7.1
74	-----------------------------
75
76	--
77	2.34.1


diff --git a/meta-oe/recipes-shells/zsh/zsh_5.8.bb b/meta-oe/recipes-shells/zsh/zsh_5.9.bb index 7602ff9f6..7940970e4 100644 --- a/meta-oe/recipes-shells/zsh/zsh_5.8.bb +++ b/meta-oe/recipes-shells/zsh/zsh_5.9.bb
@@ -10,12 +10,8 @@ LIC_FILES_CHKSUM = "file://LICENCE;md5=1a4c4cda3e8096d2fd483ff2f4514fec"
10		10
11	DEPENDS = "ncurses bison-native libcap libpcre gdbm groff-native"	11	DEPENDS = "ncurses bison-native libcap libpcre gdbm groff-native"
12		12
13	SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}/5.8/${BP}.tar.xz \	13	SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}/${PV}/${BP}.tar.xz"
14	file://CVE-2021-45444_1.patch \	14	SRC_URI[sha256sum] = "9b8d1ecedd5b5e81fbf1918e876752a7dd948e05c1a0dba10ab863842d45acd5"
15	file://CVE-2021-45444_2.patch \
16	file://CVE-2021-45444_3.patch \
17	"
18	SRC_URI[sha256sum] = "dcc4b54cc5565670a65581760261c163d720991f0d06486da61f8d839b52de27"
19		15
20	inherit autotools-brokensep gettext update-alternatives manpages	16	inherit autotools-brokensep gettext update-alternatives manpages
21		17
@@ -50,13 +46,17 @@ do_configure () {
50	oe_runconf	46	oe_runconf
51	}	47	}
52		48
		49	do_install:append() {
		50	sed -i -e '1!b; s:^#!.*[ /]zsh:#!${bindir}/zsh:; s#/usr/local/bin#${bindir}#;' \
		51	`find ${D}/usr/share/zsh/${PV}/functions -type f`
		52	}
		53
53	pkg_postinst:${PN} () {	54	pkg_postinst:${PN} () {
54	touch $D${sysconfdir}/shells	55	touch $D${sysconfdir}/shells
55	grep -q "bin/zsh" $D${sysconfdir}/shells \|\| echo /bin/zsh >> $D${sysconfdir}/shells	56	for i in zsh sh
56	grep -q "bin/sh" $D${sysconfdir}/shells \|\| echo /bin/sh >> $D${sysconfdir}/shells	57	do
		58	grep -q "bin/$i" $D${sysconfdir}/shells \|\| \
		59	printf >> $D${sysconfdir}/shells \
		60	"${bindir}/$i\n${@bb.utils.contains('DISTRO_FEATURES', 'usrmerge', '/bin/$i\n', '', d)}"
		61	done
57	}	62	}
58
59	# work around QA failures with usrmerge installing zsh in /usr/bin/zsh instead of /bin/zsh
60	# ERROR: QA Issue: /usr/share/zsh/5.8/functions/zed contained in package zsh requires /bin/zsh, but no providers found in RDEPENDS:zsh? [file-rdeps]
61	# like bash does since https://git.openembedded.org/openembedded-core/commit/?id=4759408677a4e60c5fa7131afcb5bc184cf2f90a
62	RPROVIDES:${PN} += "${@bb.utils.contains('DISTRO_FEATURES', 'usrmerge', '/bin/zsh', '', d)}"