4 files changed, 282 insertions, 1 deletions
diff --git a/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_1.patch b/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_1.patch
new file mode 100644
index 0000000000..fb8fa3427f
--- /dev/null
+++ b/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_1.patch
@@ -0,0 +1,60 @@
+Origin: commit c187154f47697cdbf822c2f9d714d570ed4a0fd1
+From: Oliver Kiddle <opk@zsh.org>
+Date: Wed, 15 Dec 2021 01:56:40 +0100
+Subject: [PATCH 1/9] security/41: Don't perform PROMPT_SUBST evaluation on
+ %F/%K arguments
+Mitigates CVE-2021-45444
+https://salsa.debian.org/debian/zsh/-/raw/debian/5.8-6+deb11u1/debian/patches/cherry-pick-CVE-2021-45444_1.patch?inline=false
+Upstream-Status: Backport
+CVE: CVE-2021-45444
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ ChangeLog    |  5 +++++
+ Src/prompt.c | 10 ++++++++++
+ 2 files changed, 15 insertions(+)
+diff --git a/ChangeLog b/ChangeLog
+index 8d7dfc169..eb248ec06 100644
+--- a/ChangeLog
+++ b/ChangeLog
+@@ -1,3 +1,8 @@
+2022-01-27  dana  <dana@dana.is>
+
+       * Oliver Kiddle: security/41: Src/prompt.c: Prevent recursive
+       PROMPT_SUBST
+
+ 2020-02-14  dana  <dana@dana.is>
+ 
+        * unposted: Config/version.mk: Update for 5.8
+diff --git a/Src/prompt.c b/Src/prompt.c
+index b65bfb86b..91e21c8e9 100644
+--- a/Src/prompt.c
+++ b/Src/prompt.c
+@@ -244,6 +244,12 @@ parsecolorchar(zattr arg, int is_fg)
+        bv->fm += 2; /* skip over F{ */
+        if ((ep = strchr(bv->fm, '}'))) {
+            char oc = *ep, *col, *coll;
+           int ops = opts[PROMPTSUBST], opb = opts[PROMPTBANG];
+           int opp = opts[PROMPTPERCENT];
+
+           opts[PROMPTPERCENT] = 1;
+           opts[PROMPTSUBST] = opts[PROMPTBANG] = 0;
+
+            *ep = '\0';
+            /* expand the contents of the argument so you can use
+             * %v for example */
+@@ -252,6 +258,10 @@ parsecolorchar(zattr arg, int is_fg)
+            arg = match_colour((const char **)&coll, is_fg, 0);
+            free(col);
+            bv->fm = ep;
+
+           opts[PROMPTSUBST] = ops;
+           opts[PROMPTBANG] = opb;
+           opts[PROMPTPERCENT] = opp;
+        } else {
+            arg = match_colour((const char **)&bv->fm, is_fg, 0);
+            if (*bv->fm != '}')
+-- 
+2.34.1
diff --git a/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_2.patch b/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_2.patch
new file mode 100644
index 0000000000..e5b6d7cdc9
--- /dev/null
+++ b/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_2.patch
@@ -0,0 +1,140 @@
+From 8a4d65ef6d0023ab9b238529410afb433553d2fa Mon Sep 17 00:00:00 2001
+From: Marc Cornellà <hello@mcornella.com>
+Date: Mon, 24 Jan 2022 09:43:28 +0100
+Subject: [PATCH 2/9] security/89: Add patch which can optionally be used to
+ work around CVE-2021-45444 in VCS_Info
+Comment: Updated to use the same file name without blanks as actually
+ used in the final 5.8.1 release.
+https://salsa.debian.org/debian/zsh/-/blob/debian/5.8-6+deb11u1/debian/patches/cherry-pick-CVE-2021-45444_2.patch
+Upstream-Status: Backport
+CVE: CVE-2021-45444
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ ChangeLog                                    |  5 +
+ Etc/CVE-2021-45444-VCS_Info-workaround.patch | 98 ++++++++++++++++++++
+ 2 files changed, 103 insertions(+)
+ create mode 100644 Etc/CVE-2021-45444-VCS_Info-workaround.patch
+diff --git a/ChangeLog b/ChangeLog
+index eb248ec06..9a05a09e1 100644
+--- a/ChangeLog
+++ b/ChangeLog
+@@ -1,5 +1,10 @@
+ 2022-01-27  dana  <dana@dana.is>
+ 
+       * Marc Cornellà: security/89:
+       Etc/CVE-2021-45444-VCS_Info-workaround.patch: Add patch which
+       can optionally be used to work around recursive PROMPT_SUBST
+       issue in VCS_Info
+
+        * Oliver Kiddle: security/41: Src/prompt.c: Prevent recursive
+        PROMPT_SUBST
+ 
+diff --git a/Etc/CVE-2021-45444-VCS_Info-workaround.patch b/Etc/CVE-2021-45444-VCS_Info-workaround.patch
+new file mode 100644
+index 000000000..13e54be77
+--- /dev/null
+++ b/Etc/CVE-2021-45444-VCS_Info-workaround.patch
+@@ -0,0 +1,98 @@
+From 972887bbe5eb6a00e5f0e73781d6d73bfdcafb93 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc=20Cornell=C3=A0?= <hello@mcornella.com>
+Date: Mon, 24 Jan 2022 09:43:28 +0100
+Subject: [PATCH] security/89: Partially work around CVE-2021-45444 in VCS_Info
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch is a partial, VCS_Info-specific work-around for CVE-2021-45444,
+which is mitigated in the shell itself in 5.8.1 and later versions. It is
+offered for users who are concerned about an exploit but are unable to update
+their binaries to receive the complete fix.
+
+The patch works around the vulnerability by pre-escaping values substituted
+into format strings in VCS_Info. Please note that this may break some user
+configurations that rely on those values being un-escaped (which is why it was
+not included directly in 5.8.1). It may be possible to limit this breakage by
+adjusting exactly which ones are pre-escaped, but of course this may leave
+them vulnerable again.
+
+If applying the patch to the file system is inconvenient or not possible, the
+following script can be used to idempotently patch the relevant function
+running in memory (and thus must be re-run when the shell is restarted):
+
+
+# Impacted versions go from v5.0.3 to v5.8 (v5.8.1 is the first patched version)
+autoload -Uz is-at-least
+if is-at-least 5.8.1 || ! is-at-least 5.0.3; then
+  return
+fi
+
+# Quote necessary $hook_com[<field>] items just before they are used
+# in the line "VCS_INFO_hook 'post-backend'" of the VCS_INFO_formats
+# function, where <field> is:
+#
+#   base:       the full path of the repository's root directory.
+#   base-name:  the name of the repository's root directory.
+#   branch:     the name of the currently checked out branch.
+#   revision:   an identifier of the currently checked out revision.
+#   subdir:     the path of the current directory relative to the
+#               repository's root directory.
+#   misc:       a string that may contain anything the vcs_info backend wants.
+#
+# This patch %-quotes these fields previous to their use in vcs_info hooks and
+# the zformat call and, eventually, when they get expanded in the prompt.
+# It's important to quote these here, and not later after hooks have modified the
+# fields, because then we could be quoting % characters from valid prompt sequences,
+# like %F{color}, %B, etc.
+#
+#  32   │ hook_com[subdir]="$(VCS_INFO_reposub ${hook_com[base]})"
+#  33   │ hook_com[subdir_orig]="${hook_com[subdir]}"
+#  34   │
+#  35 + │ for tmp in base base-name branch misc revision subdir; do
+#  36 + │     hook_com[$tmp]="${hook_com[$tmp]//\%/%%}"
+#  37 + │ done
+#  38 + │
+#  39   │ VCS_INFO_hook 'post-backend'
+#
+# This is especially important so that no command substitution is performed
+# due to malicious input as a consequence of CVE-2021-45444, which affects
+# zsh versions from 5.0.3 to 5.8.
+#
+autoload -Uz +X regexp-replace VCS_INFO_formats
+
+# We use $tmp here because it's already a local variable in VCS_INFO_formats
+typeset PATCH='for tmp (base base-name branch misc revision subdir) hook_com[$tmp]="${hook_com[$tmp]//\%/%%}"'
+# Unique string to avoid reapplying the patch if this code gets called twice
+typeset PATCH_ID=vcs_info-patch-9b9840f2-91e5-4471-af84-9e9a0dc68c1b
+# Only patch the VCS_INFO_formats function if not already patched
+if [[ "$functions[VCS_INFO_formats]" != *$PATCH_ID* ]]; then
+  regexp-replace 'functions[VCS_INFO_formats]' \
+    "VCS_INFO_hook 'post-backend'" \
+    ': ${PATCH_ID}; ${PATCH}; ${MATCH}'
+fi
+unset PATCH PATCH_ID
+
+
+---
+ Functions/VCS_Info/VCS_INFO_formats | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/Functions/VCS_Info/VCS_INFO_formats b/Functions/VCS_Info/VCS_INFO_formats
+index e0e1dc738..4d88e28b6 100644
+--- a/Functions/VCS_Info/VCS_INFO_formats
++++ b/Functions/VCS_Info/VCS_INFO_formats
+@@ -32,6 +32,10 @@ hook_com[base-name_orig]="${hook_com[base_name]}"
+ hook_com[subdir]="$(VCS_INFO_reposub ${hook_com[base]})"
+ hook_com[subdir_orig]="${hook_com[subdir]}"
+ 
++for tmp in base base-name branch misc revision subdir; do
++    hook_com[$tmp]="${hook_com[$tmp]//\%/%%}"
++done
++
+ VCS_INFO_hook 'post-backend'
+ 
+ ## description (for backend authors):
+-- 
+2.34.1
+-- 
+2.34.1
diff --git a/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_3.patch b/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_3.patch
new file mode 100644
index 0000000000..adfc00ae57
--- /dev/null
+++ b/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_3.patch
@@ -0,0 +1,77 @@
+From 4abf2fc193fc2f3e680deecbf81289a7b02e245b Mon Sep 17 00:00:00 2001
+From: dana <dana@dana.is>
+Date: Tue, 21 Dec 2021 13:13:33 -0600
+Subject: [PATCH 3/9] CVE-2021-45444: Update NEWS/README
+https://salsa.debian.org/debian/zsh/-/blob/debian/5.8-6+deb11u1/debian/patches/cherry-pick-CVE-2021-45444_3.patch
+Upstream-Status: Backport
+CVE: CVE-2021-45444
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ ChangeLog |  2 ++
+ NEWS      | 20 ++++++++++++++++++++
+ README    |  6 ++++++
+ 3 files changed, 28 insertions(+)
+diff --git a/ChangeLog b/ChangeLog
+index 9a05a09e1..93b0bc337 100644
+--- a/ChangeLog
+++ b/ChangeLog
+@@ -1,5 +1,7 @@
+ 2022-01-27  dana  <dana@dana.is>
+ 
+       * CVE-2021-45444: NEWS, README: Document preceding two changes
+
+        * Marc Cornellà: security/89:
+        Etc/CVE-2021-45444-VCS_Info-workaround.patch: Add patch which
+        can optionally be used to work around recursive PROMPT_SUBST
+diff --git a/NEWS b/NEWS
+index 964e1633f..d34b3f79e 100644
+--- a/NEWS
+++ b/NEWS
+@@ -4,6 +4,26 @@ CHANGES FROM PREVIOUS VERSIONS OF ZSH
+ 
+ Note also the list of incompatibilities in the README file.
+ 
+Changes since 5.8
+-----------------
+
+CVE-2021-45444: Some prompt expansion sequences, such as %F, support
+'arguments' which are themselves expanded in case they contain colour
+values, etc. This additional expansion would trigger PROMPT_SUBST
+evaluation, if enabled. This could be abused to execute code the user
+didn't expect. e.g., given a certain prompt configuration, an attacker
+could trick a user into executing arbitrary code by having them check
+out a Git branch with a specially crafted name.
+
+This is fixed in the shell itself by no longer performing PROMPT_SUBST
+evaluation on these prompt-expansion arguments.
+
+Users who are concerned about an exploit but unable to update their
+binaries may apply the partial work-around described in the file
+'Etc/CVE-2021-45444 VCS_Info workaround.patch' included with the shell
+source. [ Reported by RyotaK <security@ryotak.me>. Additional thanks to
+Marc Cornellà <hello@mcornella.com>. ]
+
+ Changes since 5.7.1-test-3
+ --------------------------
+ 
+diff --git a/README b/README
+index 7f1dd5f92..c9e994ab3 100644
+--- a/README
+++ b/README
+@@ -31,6 +31,12 @@ Zsh is a shell with lots of features.  For a list of some of these, see the
+ file FEATURES, and for the latest changes see NEWS.  For more
+ details, see the documentation.
+ 
+Incompatibilities since 5.8
+---------------------------
+
+PROMPT_SUBST expansion is no longer performed on arguments to prompt-
+expansion sequences such as %F.
+
+ Incompatibilities since 5.7.1
+ -----------------------------
+ 
+-- 
+2.34.1
diff --git a/meta-oe/recipes-shells/zsh/zsh_5.8.bb b/meta-oe/recipes-shells/zsh/zsh_5.8.bb
index 0429cb9cc7..b023e8d297 100644
--- a/meta-oe/recipes-shells/zsh/zsh_5.8.bb
+++ b/meta-oe/recipes-shells/zsh/zsh_5.8.bb
@@ -10,7 +10,11 @@ LIC_FILES_CHKSUM = "file://LICENCE;md5=1a4c4cda3e8096d2fd483ff2f4514fec"
 DEPENDS = "ncurses bison-native libcap libpcre gdbm groff-native"
-SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}/5.8/${BP}.tar.xz"
+SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}/5.8/${BP}.tar.xz \
+        file://CVE-2021-45444_1.patch \
+        file://CVE-2021-45444_2.patch \
+        file://CVE-2021-45444_3.patch \
+        "
 SRC_URI[sha256sum] = "dcc4b54cc5565670a65581760261c163d720991f0d06486da61f8d839b52de27"
 inherit autotools-brokensep gettext update-alternatives manpages

diff --git a/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_1.patch b/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_1.patch new file mode 100644 index 0000000000..fb8fa3427f --- /dev/null +++ b/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_1.patch
@@ -0,0 +1,60 @@
		1	Origin: commit c187154f47697cdbf822c2f9d714d570ed4a0fd1
		2	From: Oliver Kiddle <opk@zsh.org>
		3	Date: Wed, 15 Dec 2021 01:56:40 +0100
		4	Subject: [PATCH 1/9] security/41: Don't perform PROMPT_SUBST evaluation on
		5	%F/%K arguments
		6
		7	Mitigates CVE-2021-45444
		8
		9	https://salsa.debian.org/debian/zsh/-/raw/debian/5.8-6+deb11u1/debian/patches/cherry-pick-CVE-2021-45444_1.patch?inline=false
		10	Upstream-Status: Backport
		11	CVE: CVE-2021-45444
		12	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
		13	---
		14	ChangeLog \| 5 +++++
		15	Src/prompt.c \| 10 ++++++++++
		16	2 files changed, 15 insertions(+)
		17
		18	diff --git a/ChangeLog b/ChangeLog
		19	index 8d7dfc169..eb248ec06 100644
		20	--- a/ChangeLog
		21	+++ b/ChangeLog
		22	@@ -1,3 +1,8 @@
		23	+2022-01-27 dana <dana@dana.is>
		24	+
		25	+ * Oliver Kiddle: security/41: Src/prompt.c: Prevent recursive
		26	+ PROMPT_SUBST
		27	+
		28	2020-02-14 dana <dana@dana.is>
		29
		30	* unposted: Config/version.mk: Update for 5.8
		31	diff --git a/Src/prompt.c b/Src/prompt.c
		32	index b65bfb86b..91e21c8e9 100644
		33	--- a/Src/prompt.c
		34	+++ b/Src/prompt.c
		35	@@ -244,6 +244,12 @@ parsecolorchar(zattr arg, int is_fg)
		36	bv->fm += 2; /* skip over F{ */
		37	if ((ep = strchr(bv->fm, '}'))) {
		38	char oc = ep, col, *coll;
		39	+ int ops = opts[PROMPTSUBST], opb = opts[PROMPTBANG];
		40	+ int opp = opts[PROMPTPERCENT];
		41	+
		42	+ opts[PROMPTPERCENT] = 1;
		43	+ opts[PROMPTSUBST] = opts[PROMPTBANG] = 0;
		44	+
		45	*ep = '\0';
		46	/* expand the contents of the argument so you can use
		47	* %v for example */
		48	@@ -252,6 +258,10 @@ parsecolorchar(zattr arg, int is_fg)
		49	arg = match_colour((const char **)&coll, is_fg, 0);
		50	free(col);
		51	bv->fm = ep;
		52	+
		53	+ opts[PROMPTSUBST] = ops;
		54	+ opts[PROMPTBANG] = opb;
		55	+ opts[PROMPTPERCENT] = opp;
		56	} else {
		57	arg = match_colour((const char **)&bv->fm, is_fg, 0);
		58	if (*bv->fm != '}')
		59	--
		60	2.34.1


diff --git a/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_2.patch b/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_2.patch new file mode 100644 index 0000000000..e5b6d7cdc9 --- /dev/null +++ b/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_2.patch
@@ -0,0 +1,140 @@
		1	From 8a4d65ef6d0023ab9b238529410afb433553d2fa Mon Sep 17 00:00:00 2001
		2	From: Marc Cornellà <hello@mcornella.com>
		3	Date: Mon, 24 Jan 2022 09:43:28 +0100
		4	Subject: [PATCH 2/9] security/89: Add patch which can optionally be used to
		5	work around CVE-2021-45444 in VCS_Info
		6	Comment: Updated to use the same file name without blanks as actually
		7	used in the final 5.8.1 release.
		8
		9
		10	https://salsa.debian.org/debian/zsh/-/blob/debian/5.8-6+deb11u1/debian/patches/cherry-pick-CVE-2021-45444_2.patch
		11	Upstream-Status: Backport
		12	CVE: CVE-2021-45444
		13	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
		14	---
		15	ChangeLog \| 5 +
		16	Etc/CVE-2021-45444-VCS_Info-workaround.patch \| 98 ++++++++++++++++++++
		17	2 files changed, 103 insertions(+)
		18	create mode 100644 Etc/CVE-2021-45444-VCS_Info-workaround.patch
		19
		20	diff --git a/ChangeLog b/ChangeLog
		21	index eb248ec06..9a05a09e1 100644
		22	--- a/ChangeLog
		23	+++ b/ChangeLog
		24	@@ -1,5 +1,10 @@
		25	2022-01-27 dana <dana@dana.is>
		26
		27	+ * Marc Cornellà: security/89:
		28	+ Etc/CVE-2021-45444-VCS_Info-workaround.patch: Add patch which
		29	+ can optionally be used to work around recursive PROMPT_SUBST
		30	+ issue in VCS_Info
		31	+
		32	* Oliver Kiddle: security/41: Src/prompt.c: Prevent recursive
		33	PROMPT_SUBST
		34
		35	diff --git a/Etc/CVE-2021-45444-VCS_Info-workaround.patch b/Etc/CVE-2021-45444-VCS_Info-workaround.patch
		36	new file mode 100644
		37	index 000000000..13e54be77
		38	--- /dev/null
		39	+++ b/Etc/CVE-2021-45444-VCS_Info-workaround.patch
		40	@@ -0,0 +1,98 @@
		41	+From 972887bbe5eb6a00e5f0e73781d6d73bfdcafb93 Mon Sep 17 00:00:00 2001
		42	+From: =?UTF-8?q?Marc=20Cornell=C3=A0?= <hello@mcornella.com>
		43	+Date: Mon, 24 Jan 2022 09:43:28 +0100
		44	+Subject: [PATCH] security/89: Partially work around CVE-2021-45444 in VCS_Info
		45	+MIME-Version: 1.0
		46	+Content-Type: text/plain; charset=UTF-8
		47	+Content-Transfer-Encoding: 8bit
		48	+
		49	+This patch is a partial, VCS_Info-specific work-around for CVE-2021-45444,
		50	+which is mitigated in the shell itself in 5.8.1 and later versions. It is
		51	+offered for users who are concerned about an exploit but are unable to update
		52	+their binaries to receive the complete fix.
		53	+
		54	+The patch works around the vulnerability by pre-escaping values substituted
		55	+into format strings in VCS_Info. Please note that this may break some user
		56	+configurations that rely on those values being un-escaped (which is why it was
		57	+not included directly in 5.8.1). It may be possible to limit this breakage by
		58	+adjusting exactly which ones are pre-escaped, but of course this may leave
		59	+them vulnerable again.
		60	+
		61	+If applying the patch to the file system is inconvenient or not possible, the
		62	+following script can be used to idempotently patch the relevant function
		63	+running in memory (and thus must be re-run when the shell is restarted):
		64	+
		65	+
		66	+# Impacted versions go from v5.0.3 to v5.8 (v5.8.1 is the first patched version)
		67	+autoload -Uz is-at-least
		68	+if is-at-least 5.8.1 \|\| ! is-at-least 5.0.3; then
		69	+ return
		70	+fi
		71	+
		72	+# Quote necessary $hook_com[<field>] items just before they are used
		73	+# in the line "VCS_INFO_hook 'post-backend'" of the VCS_INFO_formats
		74	+# function, where <field> is:
		75	+#
		76	+# base: the full path of the repository's root directory.
		77	+# base-name: the name of the repository's root directory.
		78	+# branch: the name of the currently checked out branch.
		79	+# revision: an identifier of the currently checked out revision.
		80	+# subdir: the path of the current directory relative to the
		81	+# repository's root directory.
		82	+# misc: a string that may contain anything the vcs_info backend wants.
		83	+#
		84	+# This patch %-quotes these fields previous to their use in vcs_info hooks and
		85	+# the zformat call and, eventually, when they get expanded in the prompt.
		86	+# It's important to quote these here, and not later after hooks have modified the
		87	+# fields, because then we could be quoting % characters from valid prompt sequences,
		88	+# like %F{color}, %B, etc.
		89	+#
		90	+# 32 │ hook_com[subdir]="$(VCS_INFO_reposub ${hook_com[base]})"
		91	+# 33 │ hook_com[subdir_orig]="${hook_com[subdir]}"
		92	+# 34 │
		93	+# 35 + │ for tmp in base base-name branch misc revision subdir; do
		94	+# 36 + │ hook_com[$tmp]="${hook_com[$tmp]//\%/%%}"
		95	+# 37 + │ done
		96	+# 38 + │
		97	+# 39 │ VCS_INFO_hook 'post-backend'
		98	+#
		99	+# This is especially important so that no command substitution is performed
		100	+# due to malicious input as a consequence of CVE-2021-45444, which affects
		101	+# zsh versions from 5.0.3 to 5.8.
		102	+#
		103	+autoload -Uz +X regexp-replace VCS_INFO_formats
		104	+
		105	+# We use $tmp here because it's already a local variable in VCS_INFO_formats
		106	+typeset PATCH='for tmp (base base-name branch misc revision subdir) hook_com[$tmp]="${hook_com[$tmp]//\%/%%}"'
		107	+# Unique string to avoid reapplying the patch if this code gets called twice
		108	+typeset PATCH_ID=vcs_info-patch-9b9840f2-91e5-4471-af84-9e9a0dc68c1b
		109	+# Only patch the VCS_INFO_formats function if not already patched
		110	+if [[ "$functions[VCS_INFO_formats]" != $PATCH_ID ]]; then
		111	+ regexp-replace 'functions[VCS_INFO_formats]' \
		112	+ "VCS_INFO_hook 'post-backend'" \
		113	+ ': ${PATCH_ID}; ${PATCH}; ${MATCH}'
		114	+fi
		115	+unset PATCH PATCH_ID
		116	+
		117	+
		118	+---
		119	+ Functions/VCS_Info/VCS_INFO_formats \| 4 ++++
		120	+ 1 file changed, 4 insertions(+)
		121	+
		122	+diff --git a/Functions/VCS_Info/VCS_INFO_formats b/Functions/VCS_Info/VCS_INFO_formats
		123	+index e0e1dc738..4d88e28b6 100644
		124	+--- a/Functions/VCS_Info/VCS_INFO_formats
		125	++++ b/Functions/VCS_Info/VCS_INFO_formats
		126	+@@ -32,6 +32,10 @@ hook_com[base-name_orig]="${hook_com[base_name]}"
		127	+ hook_com[subdir]="$(VCS_INFO_reposub ${hook_com[base]})"
		128	+ hook_com[subdir_orig]="${hook_com[subdir]}"
		129	+
		130	++for tmp in base base-name branch misc revision subdir; do
		131	++ hook_com[$tmp]="${hook_com[$tmp]//\%/%%}"
		132	++done
		133	++
		134	+ VCS_INFO_hook 'post-backend'
		135	+
		136	+ ## description (for backend authors):
		137	+--
		138	+2.34.1
		139	--
		140	2.34.1


diff --git a/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_3.patch b/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_3.patch new file mode 100644 index 0000000000..adfc00ae57 --- /dev/null +++ b/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_3.patch
@@ -0,0 +1,77 @@
		1	From 4abf2fc193fc2f3e680deecbf81289a7b02e245b Mon Sep 17 00:00:00 2001
		2	From: dana <dana@dana.is>
		3	Date: Tue, 21 Dec 2021 13:13:33 -0600
		4	Subject: [PATCH 3/9] CVE-2021-45444: Update NEWS/README
		5
		6	https://salsa.debian.org/debian/zsh/-/blob/debian/5.8-6+deb11u1/debian/patches/cherry-pick-CVE-2021-45444_3.patch
		7	Upstream-Status: Backport
		8	CVE: CVE-2021-45444
		9	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
		10	---
		11	ChangeLog \| 2 ++
		12	NEWS \| 20 ++++++++++++++++++++
		13	README \| 6 ++++++
		14	3 files changed, 28 insertions(+)
		15
		16	diff --git a/ChangeLog b/ChangeLog
		17	index 9a05a09e1..93b0bc337 100644
		18	--- a/ChangeLog
		19	+++ b/ChangeLog
		20	@@ -1,5 +1,7 @@
		21	2022-01-27 dana <dana@dana.is>
		22
		23	+ * CVE-2021-45444: NEWS, README: Document preceding two changes
		24	+
		25	* Marc Cornellà: security/89:
		26	Etc/CVE-2021-45444-VCS_Info-workaround.patch: Add patch which
		27	can optionally be used to work around recursive PROMPT_SUBST
		28	diff --git a/NEWS b/NEWS
		29	index 964e1633f..d34b3f79e 100644
		30	--- a/NEWS
		31	+++ b/NEWS
		32	@@ -4,6 +4,26 @@ CHANGES FROM PREVIOUS VERSIONS OF ZSH
		33
		34	Note also the list of incompatibilities in the README file.
		35
		36	+Changes since 5.8
		37	+-----------------
		38	+
		39	+CVE-2021-45444: Some prompt expansion sequences, such as %F, support
		40	+'arguments' which are themselves expanded in case they contain colour
		41	+values, etc. This additional expansion would trigger PROMPT_SUBST
		42	+evaluation, if enabled. This could be abused to execute code the user
		43	+didn't expect. e.g., given a certain prompt configuration, an attacker
		44	+could trick a user into executing arbitrary code by having them check
		45	+out a Git branch with a specially crafted name.
		46	+
		47	+This is fixed in the shell itself by no longer performing PROMPT_SUBST
		48	+evaluation on these prompt-expansion arguments.
		49	+
		50	+Users who are concerned about an exploit but unable to update their
		51	+binaries may apply the partial work-around described in the file
		52	+'Etc/CVE-2021-45444 VCS_Info workaround.patch' included with the shell
		53	+source. [ Reported by RyotaK <security@ryotak.me>. Additional thanks to
		54	+Marc Cornellà <hello@mcornella.com>. ]
		55	+
		56	Changes since 5.7.1-test-3
		57	--------------------------
		58
		59	diff --git a/README b/README
		60	index 7f1dd5f92..c9e994ab3 100644
		61	--- a/README
		62	+++ b/README
		63	@@ -31,6 +31,12 @@ Zsh is a shell with lots of features. For a list of some of these, see the
		64	file FEATURES, and for the latest changes see NEWS. For more
		65	details, see the documentation.
		66
		67	+Incompatibilities since 5.8
		68	+---------------------------
		69	+
		70	+PROMPT_SUBST expansion is no longer performed on arguments to prompt-
		71	+expansion sequences such as %F.
		72	+
		73	Incompatibilities since 5.7.1
		74	-----------------------------
		75
		76	--
		77	2.34.1


diff --git a/meta-oe/recipes-shells/zsh/zsh_5.8.bb b/meta-oe/recipes-shells/zsh/zsh_5.8.bb index 0429cb9cc7..b023e8d297 100644 --- a/meta-oe/recipes-shells/zsh/zsh_5.8.bb +++ b/meta-oe/recipes-shells/zsh/zsh_5.8.bb
@@ -10,7 +10,11 @@ LIC_FILES_CHKSUM = "file://LICENCE;md5=1a4c4cda3e8096d2fd483ff2f4514fec"
10		10
11	DEPENDS = "ncurses bison-native libcap libpcre gdbm groff-native"	11	DEPENDS = "ncurses bison-native libcap libpcre gdbm groff-native"
12		12
13	SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}/5.8/${BP}.tar.xz"	13	SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}/5.8/${BP}.tar.xz \
		14	file://CVE-2021-45444_1.patch \
		15	file://CVE-2021-45444_2.patch \
		16	file://CVE-2021-45444_3.patch \
		17	"
14	SRC_URI[sha256sum] = "dcc4b54cc5565670a65581760261c163d720991f0d06486da61f8d839b52de27"	18	SRC_URI[sha256sum] = "dcc4b54cc5565670a65581760261c163d720991f0d06486da61f8d839b52de27"
15		19
16	inherit autotools-brokensep gettext update-alternatives manpages	20	inherit autotools-brokensep gettext update-alternatives manpages