diff options
Diffstat (limited to 'meta-oe/recipes-shells')
-rw-r--r-- | meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_1.patch | 60 | ||||
-rw-r--r-- | meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_2.patch | 140 | ||||
-rw-r--r-- | meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_3.patch | 77 | ||||
-rw-r--r-- | meta-oe/recipes-shells/zsh/zsh_5.9.bb (renamed from meta-oe/recipes-shells/zsh/zsh_5.8.bb) | 26 |
4 files changed, 13 insertions, 290 deletions
diff --git a/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_1.patch b/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_1.patch deleted file mode 100644 index fb8fa3427..000000000 --- a/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_1.patch +++ /dev/null | |||
@@ -1,60 +0,0 @@ | |||
1 | Origin: commit c187154f47697cdbf822c2f9d714d570ed4a0fd1 | ||
2 | From: Oliver Kiddle <opk@zsh.org> | ||
3 | Date: Wed, 15 Dec 2021 01:56:40 +0100 | ||
4 | Subject: [PATCH 1/9] security/41: Don't perform PROMPT_SUBST evaluation on | ||
5 | %F/%K arguments | ||
6 | |||
7 | Mitigates CVE-2021-45444 | ||
8 | |||
9 | https://salsa.debian.org/debian/zsh/-/raw/debian/5.8-6+deb11u1/debian/patches/cherry-pick-CVE-2021-45444_1.patch?inline=false | ||
10 | Upstream-Status: Backport | ||
11 | CVE: CVE-2021-45444 | ||
12 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
13 | --- | ||
14 | ChangeLog | 5 +++++ | ||
15 | Src/prompt.c | 10 ++++++++++ | ||
16 | 2 files changed, 15 insertions(+) | ||
17 | |||
18 | diff --git a/ChangeLog b/ChangeLog | ||
19 | index 8d7dfc169..eb248ec06 100644 | ||
20 | --- a/ChangeLog | ||
21 | +++ b/ChangeLog | ||
22 | @@ -1,3 +1,8 @@ | ||
23 | +2022-01-27 dana <dana@dana.is> | ||
24 | + | ||
25 | + * Oliver Kiddle: security/41: Src/prompt.c: Prevent recursive | ||
26 | + PROMPT_SUBST | ||
27 | + | ||
28 | 2020-02-14 dana <dana@dana.is> | ||
29 | |||
30 | * unposted: Config/version.mk: Update for 5.8 | ||
31 | diff --git a/Src/prompt.c b/Src/prompt.c | ||
32 | index b65bfb86b..91e21c8e9 100644 | ||
33 | --- a/Src/prompt.c | ||
34 | +++ b/Src/prompt.c | ||
35 | @@ -244,6 +244,12 @@ parsecolorchar(zattr arg, int is_fg) | ||
36 | bv->fm += 2; /* skip over F{ */ | ||
37 | if ((ep = strchr(bv->fm, '}'))) { | ||
38 | char oc = *ep, *col, *coll; | ||
39 | + int ops = opts[PROMPTSUBST], opb = opts[PROMPTBANG]; | ||
40 | + int opp = opts[PROMPTPERCENT]; | ||
41 | + | ||
42 | + opts[PROMPTPERCENT] = 1; | ||
43 | + opts[PROMPTSUBST] = opts[PROMPTBANG] = 0; | ||
44 | + | ||
45 | *ep = '\0'; | ||
46 | /* expand the contents of the argument so you can use | ||
47 | * %v for example */ | ||
48 | @@ -252,6 +258,10 @@ parsecolorchar(zattr arg, int is_fg) | ||
49 | arg = match_colour((const char **)&coll, is_fg, 0); | ||
50 | free(col); | ||
51 | bv->fm = ep; | ||
52 | + | ||
53 | + opts[PROMPTSUBST] = ops; | ||
54 | + opts[PROMPTBANG] = opb; | ||
55 | + opts[PROMPTPERCENT] = opp; | ||
56 | } else { | ||
57 | arg = match_colour((const char **)&bv->fm, is_fg, 0); | ||
58 | if (*bv->fm != '}') | ||
59 | -- | ||
60 | 2.34.1 | ||
diff --git a/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_2.patch b/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_2.patch deleted file mode 100644 index e5b6d7cdc..000000000 --- a/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_2.patch +++ /dev/null | |||
@@ -1,140 +0,0 @@ | |||
1 | From 8a4d65ef6d0023ab9b238529410afb433553d2fa Mon Sep 17 00:00:00 2001 | ||
2 | From: Marc Cornellà <hello@mcornella.com> | ||
3 | Date: Mon, 24 Jan 2022 09:43:28 +0100 | ||
4 | Subject: [PATCH 2/9] security/89: Add patch which can optionally be used to | ||
5 | work around CVE-2021-45444 in VCS_Info | ||
6 | Comment: Updated to use the same file name without blanks as actually | ||
7 | used in the final 5.8.1 release. | ||
8 | |||
9 | |||
10 | https://salsa.debian.org/debian/zsh/-/blob/debian/5.8-6+deb11u1/debian/patches/cherry-pick-CVE-2021-45444_2.patch | ||
11 | Upstream-Status: Backport | ||
12 | CVE: CVE-2021-45444 | ||
13 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
14 | --- | ||
15 | ChangeLog | 5 + | ||
16 | Etc/CVE-2021-45444-VCS_Info-workaround.patch | 98 ++++++++++++++++++++ | ||
17 | 2 files changed, 103 insertions(+) | ||
18 | create mode 100644 Etc/CVE-2021-45444-VCS_Info-workaround.patch | ||
19 | |||
20 | diff --git a/ChangeLog b/ChangeLog | ||
21 | index eb248ec06..9a05a09e1 100644 | ||
22 | --- a/ChangeLog | ||
23 | +++ b/ChangeLog | ||
24 | @@ -1,5 +1,10 @@ | ||
25 | 2022-01-27 dana <dana@dana.is> | ||
26 | |||
27 | + * Marc Cornellà: security/89: | ||
28 | + Etc/CVE-2021-45444-VCS_Info-workaround.patch: Add patch which | ||
29 | + can optionally be used to work around recursive PROMPT_SUBST | ||
30 | + issue in VCS_Info | ||
31 | + | ||
32 | * Oliver Kiddle: security/41: Src/prompt.c: Prevent recursive | ||
33 | PROMPT_SUBST | ||
34 | |||
35 | diff --git a/Etc/CVE-2021-45444-VCS_Info-workaround.patch b/Etc/CVE-2021-45444-VCS_Info-workaround.patch | ||
36 | new file mode 100644 | ||
37 | index 000000000..13e54be77 | ||
38 | --- /dev/null | ||
39 | +++ b/Etc/CVE-2021-45444-VCS_Info-workaround.patch | ||
40 | @@ -0,0 +1,98 @@ | ||
41 | +From 972887bbe5eb6a00e5f0e73781d6d73bfdcafb93 Mon Sep 17 00:00:00 2001 | ||
42 | +From: =?UTF-8?q?Marc=20Cornell=C3=A0?= <hello@mcornella.com> | ||
43 | +Date: Mon, 24 Jan 2022 09:43:28 +0100 | ||
44 | +Subject: [PATCH] security/89: Partially work around CVE-2021-45444 in VCS_Info | ||
45 | +MIME-Version: 1.0 | ||
46 | +Content-Type: text/plain; charset=UTF-8 | ||
47 | +Content-Transfer-Encoding: 8bit | ||
48 | + | ||
49 | +This patch is a partial, VCS_Info-specific work-around for CVE-2021-45444, | ||
50 | +which is mitigated in the shell itself in 5.8.1 and later versions. It is | ||
51 | +offered for users who are concerned about an exploit but are unable to update | ||
52 | +their binaries to receive the complete fix. | ||
53 | + | ||
54 | +The patch works around the vulnerability by pre-escaping values substituted | ||
55 | +into format strings in VCS_Info. Please note that this may break some user | ||
56 | +configurations that rely on those values being un-escaped (which is why it was | ||
57 | +not included directly in 5.8.1). It may be possible to limit this breakage by | ||
58 | +adjusting exactly which ones are pre-escaped, but of course this may leave | ||
59 | +them vulnerable again. | ||
60 | + | ||
61 | +If applying the patch to the file system is inconvenient or not possible, the | ||
62 | +following script can be used to idempotently patch the relevant function | ||
63 | +running in memory (and thus must be re-run when the shell is restarted): | ||
64 | + | ||
65 | + | ||
66 | +# Impacted versions go from v5.0.3 to v5.8 (v5.8.1 is the first patched version) | ||
67 | +autoload -Uz is-at-least | ||
68 | +if is-at-least 5.8.1 || ! is-at-least 5.0.3; then | ||
69 | + return | ||
70 | +fi | ||
71 | + | ||
72 | +# Quote necessary $hook_com[<field>] items just before they are used | ||
73 | +# in the line "VCS_INFO_hook 'post-backend'" of the VCS_INFO_formats | ||
74 | +# function, where <field> is: | ||
75 | +# | ||
76 | +# base: the full path of the repository's root directory. | ||
77 | +# base-name: the name of the repository's root directory. | ||
78 | +# branch: the name of the currently checked out branch. | ||
79 | +# revision: an identifier of the currently checked out revision. | ||
80 | +# subdir: the path of the current directory relative to the | ||
81 | +# repository's root directory. | ||
82 | +# misc: a string that may contain anything the vcs_info backend wants. | ||
83 | +# | ||
84 | +# This patch %-quotes these fields previous to their use in vcs_info hooks and | ||
85 | +# the zformat call and, eventually, when they get expanded in the prompt. | ||
86 | +# It's important to quote these here, and not later after hooks have modified the | ||
87 | +# fields, because then we could be quoting % characters from valid prompt sequences, | ||
88 | +# like %F{color}, %B, etc. | ||
89 | +# | ||
90 | +# 32 │ hook_com[subdir]="$(VCS_INFO_reposub ${hook_com[base]})" | ||
91 | +# 33 │ hook_com[subdir_orig]="${hook_com[subdir]}" | ||
92 | +# 34 │ | ||
93 | +# 35 + │ for tmp in base base-name branch misc revision subdir; do | ||
94 | +# 36 + │ hook_com[$tmp]="${hook_com[$tmp]//\%/%%}" | ||
95 | +# 37 + │ done | ||
96 | +# 38 + │ | ||
97 | +# 39 │ VCS_INFO_hook 'post-backend' | ||
98 | +# | ||
99 | +# This is especially important so that no command substitution is performed | ||
100 | +# due to malicious input as a consequence of CVE-2021-45444, which affects | ||
101 | +# zsh versions from 5.0.3 to 5.8. | ||
102 | +# | ||
103 | +autoload -Uz +X regexp-replace VCS_INFO_formats | ||
104 | + | ||
105 | +# We use $tmp here because it's already a local variable in VCS_INFO_formats | ||
106 | +typeset PATCH='for tmp (base base-name branch misc revision subdir) hook_com[$tmp]="${hook_com[$tmp]//\%/%%}"' | ||
107 | +# Unique string to avoid reapplying the patch if this code gets called twice | ||
108 | +typeset PATCH_ID=vcs_info-patch-9b9840f2-91e5-4471-af84-9e9a0dc68c1b | ||
109 | +# Only patch the VCS_INFO_formats function if not already patched | ||
110 | +if [[ "$functions[VCS_INFO_formats]" != *$PATCH_ID* ]]; then | ||
111 | + regexp-replace 'functions[VCS_INFO_formats]' \ | ||
112 | + "VCS_INFO_hook 'post-backend'" \ | ||
113 | + ': ${PATCH_ID}; ${PATCH}; ${MATCH}' | ||
114 | +fi | ||
115 | +unset PATCH PATCH_ID | ||
116 | + | ||
117 | + | ||
118 | +--- | ||
119 | + Functions/VCS_Info/VCS_INFO_formats | 4 ++++ | ||
120 | + 1 file changed, 4 insertions(+) | ||
121 | + | ||
122 | +diff --git a/Functions/VCS_Info/VCS_INFO_formats b/Functions/VCS_Info/VCS_INFO_formats | ||
123 | +index e0e1dc738..4d88e28b6 100644 | ||
124 | +--- a/Functions/VCS_Info/VCS_INFO_formats | ||
125 | ++++ b/Functions/VCS_Info/VCS_INFO_formats | ||
126 | +@@ -32,6 +32,10 @@ hook_com[base-name_orig]="${hook_com[base_name]}" | ||
127 | + hook_com[subdir]="$(VCS_INFO_reposub ${hook_com[base]})" | ||
128 | + hook_com[subdir_orig]="${hook_com[subdir]}" | ||
129 | + | ||
130 | ++for tmp in base base-name branch misc revision subdir; do | ||
131 | ++ hook_com[$tmp]="${hook_com[$tmp]//\%/%%}" | ||
132 | ++done | ||
133 | ++ | ||
134 | + VCS_INFO_hook 'post-backend' | ||
135 | + | ||
136 | + ## description (for backend authors): | ||
137 | +-- | ||
138 | +2.34.1 | ||
139 | -- | ||
140 | 2.34.1 | ||
diff --git a/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_3.patch b/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_3.patch deleted file mode 100644 index adfc00ae5..000000000 --- a/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_3.patch +++ /dev/null | |||
@@ -1,77 +0,0 @@ | |||
1 | From 4abf2fc193fc2f3e680deecbf81289a7b02e245b Mon Sep 17 00:00:00 2001 | ||
2 | From: dana <dana@dana.is> | ||
3 | Date: Tue, 21 Dec 2021 13:13:33 -0600 | ||
4 | Subject: [PATCH 3/9] CVE-2021-45444: Update NEWS/README | ||
5 | |||
6 | https://salsa.debian.org/debian/zsh/-/blob/debian/5.8-6+deb11u1/debian/patches/cherry-pick-CVE-2021-45444_3.patch | ||
7 | Upstream-Status: Backport | ||
8 | CVE: CVE-2021-45444 | ||
9 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
10 | --- | ||
11 | ChangeLog | 2 ++ | ||
12 | NEWS | 20 ++++++++++++++++++++ | ||
13 | README | 6 ++++++ | ||
14 | 3 files changed, 28 insertions(+) | ||
15 | |||
16 | diff --git a/ChangeLog b/ChangeLog | ||
17 | index 9a05a09e1..93b0bc337 100644 | ||
18 | --- a/ChangeLog | ||
19 | +++ b/ChangeLog | ||
20 | @@ -1,5 +1,7 @@ | ||
21 | 2022-01-27 dana <dana@dana.is> | ||
22 | |||
23 | + * CVE-2021-45444: NEWS, README: Document preceding two changes | ||
24 | + | ||
25 | * Marc Cornellà: security/89: | ||
26 | Etc/CVE-2021-45444-VCS_Info-workaround.patch: Add patch which | ||
27 | can optionally be used to work around recursive PROMPT_SUBST | ||
28 | diff --git a/NEWS b/NEWS | ||
29 | index 964e1633f..d34b3f79e 100644 | ||
30 | --- a/NEWS | ||
31 | +++ b/NEWS | ||
32 | @@ -4,6 +4,26 @@ CHANGES FROM PREVIOUS VERSIONS OF ZSH | ||
33 | |||
34 | Note also the list of incompatibilities in the README file. | ||
35 | |||
36 | +Changes since 5.8 | ||
37 | +----------------- | ||
38 | + | ||
39 | +CVE-2021-45444: Some prompt expansion sequences, such as %F, support | ||
40 | +'arguments' which are themselves expanded in case they contain colour | ||
41 | +values, etc. This additional expansion would trigger PROMPT_SUBST | ||
42 | +evaluation, if enabled. This could be abused to execute code the user | ||
43 | +didn't expect. e.g., given a certain prompt configuration, an attacker | ||
44 | +could trick a user into executing arbitrary code by having them check | ||
45 | +out a Git branch with a specially crafted name. | ||
46 | + | ||
47 | +This is fixed in the shell itself by no longer performing PROMPT_SUBST | ||
48 | +evaluation on these prompt-expansion arguments. | ||
49 | + | ||
50 | +Users who are concerned about an exploit but unable to update their | ||
51 | +binaries may apply the partial work-around described in the file | ||
52 | +'Etc/CVE-2021-45444 VCS_Info workaround.patch' included with the shell | ||
53 | +source. [ Reported by RyotaK <security@ryotak.me>. Additional thanks to | ||
54 | +Marc Cornellà <hello@mcornella.com>. ] | ||
55 | + | ||
56 | Changes since 5.7.1-test-3 | ||
57 | -------------------------- | ||
58 | |||
59 | diff --git a/README b/README | ||
60 | index 7f1dd5f92..c9e994ab3 100644 | ||
61 | --- a/README | ||
62 | +++ b/README | ||
63 | @@ -31,6 +31,12 @@ Zsh is a shell with lots of features. For a list of some of these, see the | ||
64 | file FEATURES, and for the latest changes see NEWS. For more | ||
65 | details, see the documentation. | ||
66 | |||
67 | +Incompatibilities since 5.8 | ||
68 | +--------------------------- | ||
69 | + | ||
70 | +PROMPT_SUBST expansion is no longer performed on arguments to prompt- | ||
71 | +expansion sequences such as %F. | ||
72 | + | ||
73 | Incompatibilities since 5.7.1 | ||
74 | ----------------------------- | ||
75 | |||
76 | -- | ||
77 | 2.34.1 | ||
diff --git a/meta-oe/recipes-shells/zsh/zsh_5.8.bb b/meta-oe/recipes-shells/zsh/zsh_5.9.bb index 7602ff9f6..7940970e4 100644 --- a/meta-oe/recipes-shells/zsh/zsh_5.8.bb +++ b/meta-oe/recipes-shells/zsh/zsh_5.9.bb | |||
@@ -10,12 +10,8 @@ LIC_FILES_CHKSUM = "file://LICENCE;md5=1a4c4cda3e8096d2fd483ff2f4514fec" | |||
10 | 10 | ||
11 | DEPENDS = "ncurses bison-native libcap libpcre gdbm groff-native" | 11 | DEPENDS = "ncurses bison-native libcap libpcre gdbm groff-native" |
12 | 12 | ||
13 | SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}/5.8/${BP}.tar.xz \ | 13 | SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}/${PV}/${BP}.tar.xz" |
14 | file://CVE-2021-45444_1.patch \ | 14 | SRC_URI[sha256sum] = "9b8d1ecedd5b5e81fbf1918e876752a7dd948e05c1a0dba10ab863842d45acd5" |
15 | file://CVE-2021-45444_2.patch \ | ||
16 | file://CVE-2021-45444_3.patch \ | ||
17 | " | ||
18 | SRC_URI[sha256sum] = "dcc4b54cc5565670a65581760261c163d720991f0d06486da61f8d839b52de27" | ||
19 | 15 | ||
20 | inherit autotools-brokensep gettext update-alternatives manpages | 16 | inherit autotools-brokensep gettext update-alternatives manpages |
21 | 17 | ||
@@ -50,13 +46,17 @@ do_configure () { | |||
50 | oe_runconf | 46 | oe_runconf |
51 | } | 47 | } |
52 | 48 | ||
49 | do_install:append() { | ||
50 | sed -i -e '1!b; s:^#!.*[ /]zsh:#!${bindir}/zsh:; s#/usr/local/bin#${bindir}#;' \ | ||
51 | `find ${D}/usr/share/zsh/${PV}/functions -type f` | ||
52 | } | ||
53 | |||
53 | pkg_postinst:${PN} () { | 54 | pkg_postinst:${PN} () { |
54 | touch $D${sysconfdir}/shells | 55 | touch $D${sysconfdir}/shells |
55 | grep -q "bin/zsh" $D${sysconfdir}/shells || echo /bin/zsh >> $D${sysconfdir}/shells | 56 | for i in zsh sh |
56 | grep -q "bin/sh" $D${sysconfdir}/shells || echo /bin/sh >> $D${sysconfdir}/shells | 57 | do |
58 | grep -q "bin/$i" $D${sysconfdir}/shells || \ | ||
59 | printf >> $D${sysconfdir}/shells \ | ||
60 | "${bindir}/$i\n${@bb.utils.contains('DISTRO_FEATURES', 'usrmerge', '/bin/$i\n', '', d)}" | ||
61 | done | ||
57 | } | 62 | } |
58 | |||
59 | # work around QA failures with usrmerge installing zsh in /usr/bin/zsh instead of /bin/zsh | ||
60 | # ERROR: QA Issue: /usr/share/zsh/5.8/functions/zed contained in package zsh requires /bin/zsh, but no providers found in RDEPENDS:zsh? [file-rdeps] | ||
61 | # like bash does since https://git.openembedded.org/openembedded-core/commit/?id=4759408677a4e60c5fa7131afcb5bc184cf2f90a | ||
62 | RPROVIDES:${PN} += "${@bb.utils.contains('DISTRO_FEATURES', 'usrmerge', '/bin/zsh', '', d)}" | ||