| Message ID | 20220218133057.2426-1-peter@korsgaard.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | package/zsh: security bump to version 5.8.1 | expand |
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: > Fixes the following security issue: > - CVE-2021-45444: In zsh before 5.8.1, an attacker can achieve code > execution if they control a command output inside the prompt, as > demonstrated by a %F argument. This occurs because of recursive > PROMPT_SUBST expansion. > The 5.8.1 release is not listed in MD5SUM, so drop the md5 hash. > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Committed, thanks.
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: >>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: >> Fixes the following security issue: >> - CVE-2021-45444: In zsh before 5.8.1, an attacker can achieve code >> execution if they control a command output inside the prompt, as >> demonstrated by a %F argument. This occurs because of recursive >> PROMPT_SUBST expansion. >> The 5.8.1 release is not listed in MD5SUM, so drop the md5 hash. >> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Committed to 2021.02.x and 2021.11.x, thanks.
diff --git a/package/zsh/zsh.hash b/package/zsh/zsh.hash index 2df409c946..5c661ded25 100644 --- a/package/zsh/zsh.hash +++ b/package/zsh/zsh.hash @@ -1,7 +1,3 @@ -# From http://www.zsh.org/pub/MD5SUM -md5 e02a5428620b3dd268800c7843b3dd4d zsh-5.8.tar.xz -# Calculated based on the hash above and after checking signature -# http://www.zsh.org/pub/zsh-5.8.tar.xz.asc -sha256 dcc4b54cc5565670a65581760261c163d720991f0d06486da61f8d839b52de27 zsh-5.8.tar.xz # Locally calculated +sha256 b6973520bace600b4779200269b1e5d79e5f505ac4952058c11ad5bbf0dd9919 zsh-5.8.1.tar.xz sha256 d06fdf3ef9b1ec69d6b9e170b0a9516fbad3523261ff1668bde3bfea6e0ef5f5 LICENCE diff --git a/package/zsh/zsh.mk b/package/zsh/zsh.mk index 1a04833211..c5ab7c2fae 100644 --- a/package/zsh/zsh.mk +++ b/package/zsh/zsh.mk @@ -4,7 +4,7 @@ # ################################################################################ -ZSH_VERSION = 5.8 +ZSH_VERSION = 5.8.1 ZSH_SITE = http://www.zsh.org/pub ZSH_SOURCE = zsh-$(ZSH_VERSION).tar.xz ZSH_DEPENDENCIES = ncurses
Fixes the following security issue: - CVE-2021-45444: In zsh before 5.8.1, an attacker can achieve code execution if they control a command output inside the prompt, as demonstrated by a %F argument. This occurs because of recursive PROMPT_SUBST expansion. The 5.8.1 release is not listed in MD5SUM, so drop the md5 hash. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> --- package/zsh/zsh.hash | 6 +----- package/zsh/zsh.mk | 2 +- 2 files changed, 2 insertions(+), 6 deletions(-)