From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-3.3 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,T_SCC_BODY_TEXT_LINE, UNPARSEABLE_RELAY autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 12570 invoked from network); 12 Mar 2022 22:46:46 -0000 Received: from zero.zsh.org (2a02:898:31:0:48:4558:7a:7368) by inbox.vuxu.org with ESMTPUTF8; 12 Mar 2022 22:46:46 -0000 ARC-Seal: i=1; cv=none; a=rsa-sha256; d=zsh.org; s=rsa-20210803; t=1647125207; b=B6L4QtOcgP3dPHZWhoNXgkK5cNl+j/lnWKPyqwUCtsRGQrQ19qgFQ2OR+7/8ySOlb8FGmMKaS7 5I4n0eApsXX9jInTcNATcnYD43QqRFX2gzFX57kXkbleXBv2ZrbRWNtQNrNeJiaiWuPmlLs9Xe HSBvVXu1CsHtARlrTTJ/pnYcpytQCQyozBAqLXfOh1Fk0M84idOT1uVlAnFkxdpIpZGsLjh+jx ejas67co9M8jkbvBPB8618A4wEqBLCKLbYlbnuU+zWp8vYiDwKFSeuhC4gVqXi2AK3khQjSBsp n7YSLXntQCzJ9rOCv0oo3fWl8Ub8v2rJufxogYLuYPpd6w==; ARC-Authentication-Results: i=1; zsh.org; iprev=pass (new1-smtp.messagingengine.com) smtp.remote-ip=66.111.4.221; dkim=pass header.d=dana.is header.s=fm1 header.a=rsa-sha256; dkim=pass header.d=messagingengine.com header.s=fm2 header.a=rsa-sha256; dmarc=none header.from=dana.is; arc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed; d=zsh.org; s=rsa-20210803; t=1647125207; bh=pSD5qtMsyOnnOM8nkMmwQeGYzHcEVwJ78zmET04o8A4=; h=List-Archive:List-Owner:List-Post:List-Unsubscribe:List-Subscribe:List-Help: List-Id:Sender:Content-Type:Subject:To:From:Date:References:In-Reply-To: Message-ID:MIME-Version:DKIM-Signature:DKIM-Signature:DKIM-Signature; b=lJv8e86ciWokSTE5Hbl+RCcFxu8pgMpDKorTcOz5UPUlpU7R9xO1sbz1K2ubq4Gc6WhvNzM6uo Ls0s4K/0vIb2KTLg1+xGAnDsWkHYf6CVY8GrxYuwHffeSK3PtYdIaQhifOh4SEOTu25a91vspp lqj1QJgAk/YhuP9JPazuic1BPJd9enJbS5Y+1kkZkETDvOEK8/iJBEJIrn0Zqlf8ymAnTtAEDH 8yfDdbRFCEwTdI5D67gDBdTEctImIBaL3GNe8yT5/OocZ0Gy43CDlsVv6OVNqqT8Cm9It6NJAm pLGdoE+rq6m/e9FEmc/sovDtQbQ4f6LF5jZbd/mtlE9ciA==; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=zsh.org; s=rsa-20210803; h=List-Archive:List-Owner:List-Post:List-Unsubscribe: List-Subscribe:List-Help:List-Id:Sender:Content-Type:Subject:To:From:Date: References:In-Reply-To:Message-Id:Mime-Version:Reply-To:Cc: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID; bh=pSD5qtMsyOnnOM8nkMmwQeGYzHcEVwJ78zmET04o8A4=; b=Kn4PjneYWkB4ykQDzsbQNk3WMf eJ58cHcThY+ZX8LHipuDgkridaCfTbbfLxsic2cmx+yRMtzT0GMbaz6+WejF1n6edhNGNkNfpH2tH JHn7CBW963/PXa+WkclApO9EesiC2Rz60P5HlXkVxjdZjVd+ahEs75h2YBb0nQ69jSLynlpYcWCsV dcfYurFNmNCIfsqKpvYnDcDGxwQvU4dbaCunCTKuoNQLu6EDv0+Mr296osojqfvTYrDkwJFSQdYcQ SGgAw3HhlqmfprqWFqo//ORfiJBiHBJfiP06mqqC90IQ33yEvEHDVW5qFyrHPzOkrjYb0YnHQ+emu Ji29vTBQ==; Received: from authenticated user by zero.zsh.org with local id 1nTAVZ-0001AD-6Q; Sat, 12 Mar 2022 22:46:45 +0000 Authentication-Results: zsh.org; iprev=pass (new1-smtp.messagingengine.com) smtp.remote-ip=66.111.4.221; dkim=pass header.d=dana.is header.s=fm1 header.a=rsa-sha256; dkim=pass header.d=messagingengine.com header.s=fm2 header.a=rsa-sha256; dmarc=none header.from=dana.is; arc=none Received: from new1-smtp.messagingengine.com ([66.111.4.221]:35287) by zero.zsh.org with esmtps (TLS1.3:TLS_AES_256_GCM_SHA384:256) id 1nTAUY-0000Nk-Mz; Sat, 12 Mar 2022 22:45:44 +0000 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailnew.nyi.internal (Postfix) with ESMTP id 739E7580118; Sat, 12 Mar 2022 17:45:39 -0500 (EST) Received: from imap50 ([10.202.2.100]) by compute4.internal (MEProxy); Sat, 12 Mar 2022 17:45:39 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dana.is; h=cc :content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm1; bh=pSD5qtMsyOnnOM8nkMmwQeGYzHcEVwJ78zmET0 4o8A4=; b=p6tL45md4lAPfk6eN6SMaJbdSYyYhxBSihbbSGb+myqh+kOAcg+MGL LUviYVwOBWgweJOxXlmjRN1EO2xnXEQMahOGUVyPBJPLCAjHQWmzjSyM4yA6z0nS GSk/RBJsQqZucOJkDD32eqDRiPe0APCuGQfOgmwDtxsZbhMSqMSScvO67SIbHgG4 Z73p1imRfyelFuJMQ6+J0gTdjRBe6EsbEn+Di1ys8/SHazCRfPz/S+wNRvpxp/bv mrVrHwtd0OpW1btPGLPxF5xl3fa6xIyZwqk7ApOqM5mYB8e30zaNvL/7m4hluPh8 vFGaq/Pw5LWaZOIxOF7+Xk4OykV20PkA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=pSD5qtMsyOnnOM8nk MmwQeGYzHcEVwJ78zmET04o8A4=; b=dOKzfIf9gknGOFAvllvdwf1b4PCf/D9xV JeCWBV/ZEGSWyrdhWBaOdld1XzyMv9ZUdK1A4e9EARSiMmsHODcLJ8WIgsHuE6qS 0MLDPsWVjuVzp2D7kjrhNMo3pPzjW3fEQKZOtUkn/z610VSncZ88i6JP8DvH8hYY us8x3z1FbdSQQKjrxmt+XDwl3Z9+rdpc0w4YCcwbLN1jY/sfb7QgE9M9YRgZK5pj Hx7hZJjnbk8kADh9pF6PyzegZrn/xb1kX4+5zFBnvH8dJiWtRZOEPPnmepRAr7pr sM700l4WkzTqZvWS5MFOYMzCJpJ+QoblJpNDAPdR9Cy4q2+57EjHA== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvvddruddvgedgudeifecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefofgggkfgjfhffhffvufgtsehttdertderredtnecuhfhrohhmpegurghn rgcuoegurghnrgesuggrnhgrrdhisheqnecuggftrfgrthhtvghrnhepieeuhedtfedtle ehtdeglefgvdefudelgeeuudeljeefieejueetkeehveeugfetnecuvehluhhsthgvrhfu ihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepuggrnhgrsegurghnrgdrihhs X-ME-Proxy: Received: by mailuser.nyi.internal (Postfix, from userid 501) id 6321B1924B56; Sat, 12 Mar 2022 17:45:38 -0500 (EST) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.5.0-alpha0-4778-g14fba9972e-fm-20220217.001-g14fba997 Mime-Version: 1.0 Message-Id: <8e5ef93a-85b0-4a04-9b3a-01452f29e68f@www.fastmail.com> In-Reply-To: References: Date: Sat, 12 Mar 2022 16:45:11 -0600 From: dana To: "Vincent Bernat" , zsh-users@zsh.org Subject: Re: CVE-2021-45444 really fixed in 5.8.1? Content-Type: text/plain X-Seq: 27549 Archived-At: X-Loop: zsh-users@zsh.org Errors-To: zsh-users-owner@zsh.org Precedence: list Precedence: bulk Sender: zsh-users-request@zsh.org X-no-archive: yes List-Id: List-Help: List-Subscribe: List-Unsubscribe: List-Post: List-Owner: List-Archive: On Sat 12 Mar 2022, at 08:39, Vincent Bernat wrote: > Is CVE-2021-45444 really fixed in 5.8.1? > > ... > > %1 was interpreted while it shouldn't have been? > > The provided workaround for older versions work fine. The issue that was fixed in 5.8.1 is that PROMPT_SUBST evaluation was being performed in the arguments to e.g. %F. This is not specifically related to VCS_Info, but it was the most likely place it could cause trouble. e.g. checking out a git branch name containing %F{...} could have resulted in arbitrary code execution given a typical VCS_Info configuration. It was fixed by simply not performing PROMPT_SUBST evaluation in that context any more. The issue you're describing is another one which is specific to VCS_Info: that format sequences are interpreted in e.g. branch names. This was already a publicly known issue (see workers/42165). Everyone seems to agree that it's problematic, but we decided to delay shipping a true fix in for it because (with the PROMPT_SUBST patch in place) we couldn't identify an actual vulnerability beyond just the displayed values not matching their literal ones, and changing the way it works will break some VCS_Info configurations. The work-around we provided for users who can't upgrade is one possible fix that we considered. It happens to avoid the PROMPT_SUBST evaluation issue, in VCS_Info only, by not allowing %F to be interpreted in those values at all. It can also be used (with a slight modification to the script that applies it) by 5.8.1 users who are worried about those sequences being interpreted. But, as mentioned, it'll break some existing configurations. There was discussion of finalising this fix for 5.9 but i'm not sure if that'll happen or not. dana