zsh-users
 help / color / mirror / code / Atom feed
* CVE-2021-45444 really fixed in 5.8.1?
@ 2022-03-12 14:39 Vincent Bernat
  2022-03-12 22:45 ` dana
  0 siblings, 1 reply; 4+ messages in thread
From: Vincent Bernat @ 2022-03-12 14:39 UTC (permalink / raw)
  To: zsh-users

Hey!

Is CVE-2021-45444 really fixed in 5.8.1?

neo% zsh --version
zsh 5.8.1 (x86_64-debian-linux-gnu)
neo% mkdir test1
neo% cd test1
neo% git init
Initialized empty Git repository in /home/bernat/tmp/test1/.git/
neo% git checkout -b branch%1branch
Switched to a new branch 'branch%1branch'
neo% autoload -Uz vcs_info
neo% precmd() { vcs_info }
neo% setopt prompt_subst
neo% PS1='${vcs_info_msg_0_}%# '
 (git)-[branchranch]-%

%1 was interpreted while it shouldn't have been?

The provided workaround for older versions work fine.

After applying:

 (git)-[branch%1branch]-%
-- 
Don't stop at one bug.
            - The Elements of Programming Style (Kernighan & Plauger)


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: CVE-2021-45444 really fixed in 5.8.1?
  2022-03-12 14:39 CVE-2021-45444 really fixed in 5.8.1? Vincent Bernat
@ 2022-03-12 22:45 ` dana
  2022-03-12 22:58   ` Vincent Bernat
  0 siblings, 1 reply; 4+ messages in thread
From: dana @ 2022-03-12 22:45 UTC (permalink / raw)
  To: Vincent Bernat, zsh-users

On Sat 12 Mar 2022, at 08:39, Vincent Bernat wrote:
> Is CVE-2021-45444 really fixed in 5.8.1?
>
> ...
>
> %1 was interpreted while it shouldn't have been?
>
> The provided workaround for older versions work fine.

The issue that was fixed in 5.8.1 is that PROMPT_SUBST evaluation was being
performed in the arguments to e.g. %F. This is not specifically related to
VCS_Info, but it was the most likely place it could cause trouble. e.g.
checking out a git branch name containing %F{...} could have resulted in
arbitrary code execution given a typical VCS_Info configuration. It was
fixed by simply not performing PROMPT_SUBST evaluation in that context any
more.

The issue you're describing is another one which is specific to VCS_Info:
that format sequences are interpreted in e.g. branch names. This was already
a publicly known issue (see workers/42165). Everyone seems to agree that
it's problematic, but we decided to delay shipping a true fix in for it
because (with the PROMPT_SUBST patch in place) we couldn't identify an
actual vulnerability beyond just the displayed values not matching their
literal ones, and changing the way it works will break some VCS_Info
configurations.

The work-around we provided for users who can't upgrade is one possible fix
that we considered. It happens to avoid the PROMPT_SUBST evaluation issue,
in VCS_Info only, by not allowing %F to be interpreted in those values at
all. It can also be used (with a slight modification to the script that
applies it) by 5.8.1 users who are worried about those sequences being
interpreted. But, as mentioned, it'll break some existing configurations.

There was discussion of finalising this fix for 5.9 but i'm not sure if
that'll happen or not.

dana


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: CVE-2021-45444 really fixed in 5.8.1?
  2022-03-12 22:45 ` dana
@ 2022-03-12 22:58   ` Vincent Bernat
  2022-03-13  0:01     ` dana
  0 siblings, 1 reply; 4+ messages in thread
From: Vincent Bernat @ 2022-03-12 22:58 UTC (permalink / raw)
  To: dana; +Cc: zsh-users

 ❦ 12 March 2022 16:45 -06, dana:

>> Is CVE-2021-45444 really fixed in 5.8.1?
>>
>> ...
>>
>> %1 was interpreted while it shouldn't have been?
>>
>> The provided workaround for older versions work fine.
>
> The issue that was fixed in 5.8.1 is that PROMPT_SUBST evaluation was being
> performed in the arguments to e.g. %F. This is not specifically related to
> VCS_Info, but it was the most likely place it could cause trouble. e.g.
> checking out a git branch name containing %F{...} could have resulted in
> arbitrary code execution given a typical VCS_Info configuration. It was
> fixed by simply not performing PROMPT_SUBST evaluation in that context any
> more.

You mean, it was possible to do "%F{$(echo hello)}"?

Thanks for the remaining explanation!
-- 
All generalizations are false, including this one.
		-- Mark Twain


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: CVE-2021-45444 really fixed in 5.8.1?
  2022-03-12 22:58   ` Vincent Bernat
@ 2022-03-13  0:01     ` dana
  0 siblings, 0 replies; 4+ messages in thread
From: dana @ 2022-03-13  0:01 UTC (permalink / raw)
  To: Vincent Bernat; +Cc: zsh-users

On Sat 12 Mar 2022, at 16:58, Vincent Bernat wrote:
> You mean, it was possible to do "%F{$(echo hello)}"?

Yes, that kind of thing.

dana


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2022-03-13  0:03 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-12 14:39 CVE-2021-45444 really fixed in 5.8.1? Vincent Bernat
2022-03-12 22:45 ` dana
2022-03-12 22:58   ` Vincent Bernat
2022-03-13  0:01     ` dana

Code repositories for project(s) associated with this public inbox

	https://git.vuxu.org/mirror/zsh/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).