Re: CVE-2021-45444 really fixed in 5.8.1?

zsh-users
 help / color / mirror / code / Atom feed

From: dana <dana@dana.is>
To: "Vincent Bernat" <bernat@luffy.cx>, zsh-users@zsh.org
Subject: Re: CVE-2021-45444 really fixed in 5.8.1?
Date: Sat, 12 Mar 2022 16:45:11 -0600	[thread overview]
Message-ID: <8e5ef93a-85b0-4a04-9b3a-01452f29e68f@www.fastmail.com> (raw)
In-Reply-To: <m38rtfutff.fsf@luffy.cx>

On Sat 12 Mar 2022, at 08:39, Vincent Bernat wrote:
> Is CVE-2021-45444 really fixed in 5.8.1?
>
> ...
>
> %1 was interpreted while it shouldn't have been?
>
> The provided workaround for older versions work fine.

The issue that was fixed in 5.8.1 is that PROMPT_SUBST evaluation was being
performed in the arguments to e.g. %F. This is not specifically related to
VCS_Info, but it was the most likely place it could cause trouble. e.g.
checking out a git branch name containing %F{...} could have resulted in
arbitrary code execution given a typical VCS_Info configuration. It was
fixed by simply not performing PROMPT_SUBST evaluation in that context any
more.

The issue you're describing is another one which is specific to VCS_Info:
that format sequences are interpreted in e.g. branch names. This was already
a publicly known issue (see workers/42165). Everyone seems to agree that
it's problematic, but we decided to delay shipping a true fix in for it
because (with the PROMPT_SUBST patch in place) we couldn't identify an
actual vulnerability beyond just the displayed values not matching their
literal ones, and changing the way it works will break some VCS_Info
configurations.

The work-around we provided for users who can't upgrade is one possible fix
that we considered. It happens to avoid the PROMPT_SUBST evaluation issue,
in VCS_Info only, by not allowing %F to be interpreted in those values at
all. It can also be used (with a slight modification to the script that
applies it) by 5.8.1 users who are worried about those sequences being
interpreted. But, as mentioned, it'll break some existing configurations.

There was discussion of finalising this fix for 5.9 but i'm not sure if
that'll happen or not.

dana

next prev parent reply	other threads:[~2022-03-12 22:46 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-03-12 14:39 Vincent Bernat
2022-03-12 22:45 ` dana [this message]
2022-03-12 22:58   ` Vincent Bernat
2022-03-13  0:01     ` dana

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=8e5ef93a-85b0-4a04-9b3a-01452f29e68f@www.fastmail.com \
    --to=dana@dana.is \
    --cc=bernat@luffy.cx \
    --cc=zsh-users@zsh.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.vuxu.org/mirror/zsh/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).