From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.3 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,T_SCC_BODY_TEXT_LINE,
	UNPARSEABLE_RELAY autolearn=ham autolearn_force=no version=3.4.4
Received: (qmail 14817 invoked from network); 12 Mar 2022 14:40:00 -0000
Received: from zero.zsh.org (2a02:898:31:0:48:4558:7a:7368)
  by inbox.vuxu.org with ESMTPUTF8; 12 Mar 2022 14:40:00 -0000
ARC-Seal: i=1; cv=none; a=rsa-sha256; d=zsh.org; s=rsa-20210803; t=1647096000;
	 b=jHG4igBRXEy55oakBR2C58c9dXkZuw8q09P8SVXVvG3WNl04YioAcPWLsVEuUSm00IBG8fA2XN
	  UeceRXMKljMP7wFRTcZ8UoqymS+eR+/A4C+uayNbY+5iuheUsFYVM/FNTOEdzcLTUn4tJDtyLX
	  15Fk3cRD3TgyUA1WQFBGkeEhfgKN2BvpFB3UshJcwsk0NZbbSOLRzZ8UqEFNM1qC1Nul6WY+EY
	  vYb02t3lU63JdUGMJ8OujBetWp+TYUCo++RZof1+LOx1BYlbsqyxL+b/ScdrtISkppsQeo1Umy
	  rCvV+5E2uE8cbB0rk9IgSa05IlNYn73P5x6+5RiUwrLmtg==;
ARC-Authentication-Results: i=1; zsh.org;
	iprev=pass (wout3-smtp.messagingengine.com) smtp.remote-ip=64.147.123.19;
	dkim=pass header.d=luffy.cx header.s=fm3 header.a=rsa-sha256;
	dkim=pass header.d=messagingengine.com header.s=fm2 header.a=rsa-sha256;
	dmarc=pass header.from=luffy.cx;
	arc=none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed; d=zsh.org; s=rsa-20210803; t=1647096000;
	bh=vbjKC0oLe7h/olBo1pV/idJ3EZV78dkYlUsNRp/fcSY=;
	h=List-Archive:List-Owner:List-Post:List-Unsubscribe:List-Subscribe:List-Help:
	  List-Id:Sender:Content-Type:MIME-Version:Message-ID:Date:Subject:To:From:
	  DKIM-Signature:DKIM-Signature:DKIM-Signature;
	b=oXLIczSkq19IsFEQYbJYlnflw8Rb2pOaWb/lQ6NvNN3xfHnjvvmR9bQaeuanq5BitkVLXnD4Rk
	  BoXRMrzDMCTMvRSW6CuXpAHHdAvskLyRAxIPtQUaqK5u+nRfTynWiCWDo8qQL7Ver7Uxb+vtGp
	  NTNvqeUu2yr3Yn3ymecqfC2aUL/lA1uJ87hF4QnWWVkHH31GAzD1At16xuPXE3v0wT1m6QItgG
	  d6BSKMBH8JZhYFXyoqzfvmDKuV+lgFgQagvD/O83FNQDwS21/RX7DfG6v8KoxeHM7BIFeVdJkb
	  0BaVNbb4NAUQiiGV22W5wR9xQSqI6+PLyOGmqqWmC9oqkQ==;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=zsh.org;
	s=rsa-20210803; h=List-Archive:List-Owner:List-Post:List-Unsubscribe:
	List-Subscribe:List-Help:List-Id:Sender:Content-Type:MIME-Version:Message-ID:
	Date:Subject:To:From:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:
	Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
	:Resent-Message-ID:In-Reply-To:References;
	bh=cDuFlkbIO6IxasSylzzrv89MXoOLdBKeASCYwHK2cwI=; b=Tw5cBPpKHuFaRcDhUXk2NbwLoX
	/w/XpiElKGw41vejN1y8rtjcoKx8xKYKLzZfsEEzeauMvQ34BFLB/gN8E3egjfdYGe0m/PHz8AXic
	R16Oam3x00S/rMnY4H93mlqM3Chu8YgOZcBWiZXvB2/7+fOfmRS6/WMv+XI11YhhEAm8nl6xGzfZN
	VrKvk4mkujOqUpuBBa1U0MXWfpn375MrP9GYpiJIMQkTuHZ7tTMxoOUqjXAW+tUnP+9wXUoCmGYgW
	zAyXN4Dj1tgb2jODKf/RrJD52aSKM+APKt/zYJqyVC3a3z1PJhJRXpzXCp3mH6cQcCtdI1/fmohJ8
	lbE+NC6A==;
Received: from authenticated user by zero.zsh.org with local 
	id 1nT2uT-000FRf-Uo; Sat, 12 Mar 2022 14:39:57 +0000
Authentication-Results: zsh.org;
	iprev=pass (wout3-smtp.messagingengine.com) smtp.remote-ip=64.147.123.19;
	dkim=pass header.d=luffy.cx header.s=fm3 header.a=rsa-sha256;
	dkim=pass header.d=messagingengine.com header.s=fm2 header.a=rsa-sha256;
	dmarc=pass header.from=luffy.cx;
	arc=none
Received: from wout3-smtp.messagingengine.com ([64.147.123.19]:45091)
	by zero.zsh.org with esmtps (TLS1.3:TLS_AES_256_GCM_SHA384:256)
	id 1nT2td-000EkG-IE; Sat, 12 Mar 2022 14:39:07 +0000
Received: from compute2.internal (compute2.nyi.internal [10.202.2.46])
	by mailout.west.internal (Postfix) with ESMTP id E932E3201DE2
	for <zsh-users@zsh.org>; Sat, 12 Mar 2022 09:39:02 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163])
  by compute2.internal (MEProxy); Sat, 12 Mar 2022 09:39:03 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=luffy.cx; h=cc
	:content-type:date:date:from:from:in-reply-to:message-id
	:mime-version:reply-to:sender:subject:subject:to:to; s=fm3; bh=c
	DuFlkbIO6IxasSylzzrv89MXoOLdBKeASCYwHK2cwI=; b=AoRJULYkuc4PjJ/gt
	eqI/nj58gkPC+VEMwyxFkh+xGzSNi+6qSpWvdr0vFxottuf2xi4tEroFBM4wi5ic
	3uDMZ4qvv2sAhMYjOs+4EJx3in+qu/UD8OlMJqg3WrF4fY2ZWNuCPhRKao1NUIqj
	lOel3/iryQWuE+BrLKiFl1v18wtfSaxBhm14Y6K0/AA4163IQ5ky/qwyP6VSTMJx
	mbmj5huhfW6unxxON71gXZR8MNCCVuJ/2BGRvLNtUhE49MegzmzDh4mjLCD5IuaY
	nnOWss8/l6qbLFYAgPtHXGws5aoEF3vEmcQCwZXgeDwrC09ay5NZZjrfrhF/LF7M
	TJh2A==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:content-type:date:date:from:from
	:in-reply-to:message-id:mime-version:reply-to:sender:subject
	:subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender
	:x-sasl-enc; s=fm2; bh=cDuFlkbIO6IxasSylzzrv89MXoOLdBKeASCYwHK2c
	wI=; b=YQw12PVOfOlA5G88QZ9tLi2pmOPtbWyPwA7yzeJlE6ckGgwMKiFbXN4S2
	ipIaTQeMPCwLyKbNGInxAAK7PnyodI6rYnn6/sO5cXuiDBssCtt9FfMVLsyyptdA
	4SDuQjlvm+cIMVrp6FOGogOQIsgC33qin0Q5/FNj0JAHfKjQ8/x3/KCQ62bbdQR7
	BcRAV3f0BEAmU9rEgTVrvmWOh564gnoSrd0MSIKAiL2MNIrPf5V6lFlNRDWfIzVK
	qnPKqimACcZbRHJYJiWsx8zW5eN6gSCy2OV45f+eVpHtpA5N5mFMpQ7XNeupTGPA
	xkfx/46QxZvTXRRJhBdH4/OcZuIbw==
X-ME-Sender: <xms:hbAsYtgV8c5nzde-gPmpZEMnWF3esgJrQTnKnQM9Ei6Ry-qW-a59Ww>
    <xme:hbAsYiB5XHGJ5mLLpI7cp7yB_rbp5jCXJSAq0qbEj7gBCRReHLOWYWbhhcYNh9Slo
    ZghgUOga20gATGuyRY>
X-ME-Received: <xmr:hbAsYtGqErp1yWCRaxWaVNgQ3021jFvt5mGnizmYexkWzDuufgBdofJtmohqIr64F4NnSG6eAKoGcDHiiGGOe9urIAvdKbcDNwyRYid-6Q>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvvddruddvgedgieeiucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
    uceurghilhhouhhtmecufedttdenucenucfjughrpefhvffufffkfgggtgesthdtredttd
    ertdenucfhrhhomhepgghinhgtvghnthcuuegvrhhnrghtuceosggvrhhnrghtsehluhhf
    fhihrdgtgieqnecuggftrfgrthhtvghrnhepjeetveehveegvefhgefgjeffvefgffekgf
    etledtgffggfdvveeihfdvfeefvddtnecuvehluhhsthgvrhfuihiivgeptdenucfrrghr
    rghmpehmrghilhhfrhhomhepsggvrhhnrghtsehluhhffhihrdgtgi
X-ME-Proxy: <xmx:hbAsYiTt-fouGwOKZAyP826ruiX-kaA4YHlo1fAJtM6KZkzTVSaCbg>
    <xmx:hbAsYqwU7Hiwbcpu_xD-UACHRcqBhorAnJ6TnEDaRh6c_eGTGu-tkw>
    <xmx:hbAsYo7xjU4bxcRTr3F2qz-uZNpxYeVVijJUqT2OZgwziwqekDJ0fQ>
    <xmx:hrAsYvuvit1lwlxIIySA2VHFMAIq-XyGnPdxdEcjgsEpFeqDqcPSmw>
Received: by mail.messagingengine.com (Postfix) with ESMTPA for
 <zsh-users@zsh.org>; Sat, 12 Mar 2022 09:39:01 -0500 (EST)
Received: by neo.luffy.cx (Postfix, from userid 500)
	id 09A29958; Sat, 12 Mar 2022 15:39:00 +0100 (CET)
From: Vincent Bernat <bernat@luffy.cx>
To: zsh-users@zsh.org
Subject: CVE-2021-45444 really fixed in 5.8.1?
Date: Sat, 12 Mar 2022 15:39:00 +0100
Message-ID: <m38rtfutff.fsf@luffy.cx>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Seq: 27548
Archived-At: <https://zsh.org/users/27548>
X-Loop: zsh-users@zsh.org
Errors-To: zsh-users-owner@zsh.org
Precedence: list
Precedence: bulk
Sender: zsh-users-request@zsh.org
X-no-archive: yes
List-Id: <zsh-users.zsh.org>
List-Help: <mailto:sympa@zsh.org?subject=help>
List-Subscribe: <mailto:sympa@zsh.org?subject=subscribe%20zsh-users>
List-Unsubscribe: <mailto:sympa@zsh.org?subject=unsubscribe%20zsh-users>
List-Post: <mailto:zsh-users@zsh.org>
List-Owner: <mailto:zsh-users-request@zsh.org>
List-Archive: <http://www.zsh.org/sympa/arc/zsh-users>

Hey!

Is CVE-2021-45444 really fixed in 5.8.1?

neo% zsh --version
zsh 5.8.1 (x86_64-debian-linux-gnu)
neo% mkdir test1
neo% cd test1
neo% git init
Initialized empty Git repository in /home/bernat/tmp/test1/.git/
neo% git checkout -b branch%1branch
Switched to a new branch 'branch%1branch'
neo% autoload -Uz vcs_info
neo% precmd() { vcs_info }
neo% setopt prompt_subst
neo% PS1='${vcs_info_msg_0_}%# '
 (git)-[branchranch]-%

%1 was interpreted while it shouldn't have been?

The provided workaround for older versions work fine.

After applying:

 (git)-[branch%1branch]-%
-- 
Don't stop at one bug.
            - The Elements of Programming Style (Kernighan & Plauger)