1Origin: commit c187154f47697cdbf822c2f9d714d570ed4a0fd1 2From: Oliver Kiddle <opk@zsh.org> 3Date: Wed, 15 Dec 2021 01:56:40 +0100 4Subject: [PATCH 1/9] security/41: Don't perform PROMPT_SUBST evaluation on 5 %F/%K arguments 6 7Mitigates CVE-2021-45444 8 9https://salsa.debian.org/debian/zsh/-/raw/debian/5.8-6+deb11u1/debian/patches/cherry-pick-CVE-2021-45444_1.patch?inline=false 10Upstream-Status: Backport 11CVE: CVE-2021-45444 12Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> 13--- 14 ChangeLog | 5 +++++ 15 Src/prompt.c | 10 ++++++++++ 16 2 files changed, 15 insertions(+) 17 18diff --git a/ChangeLog b/ChangeLog 19index 8d7dfc169..eb248ec06 100644 20--- a/ChangeLog 21+++ b/ChangeLog 22@@ -1,3 +1,8 @@ 23+2022-01-27 dana <dana@dana.is> 24+ 25+ * Oliver Kiddle: security/41: Src/prompt.c: Prevent recursive 26+ PROMPT_SUBST 27+ 28 2020-02-14 dana <dana@dana.is> 29 30 * unposted: Config/version.mk: Update for 5.8 31diff --git a/Src/prompt.c b/Src/prompt.c 32index b65bfb86b..91e21c8e9 100644 33--- a/Src/prompt.c 34+++ b/Src/prompt.c 35@@ -244,6 +244,12 @@ parsecolorchar(zattr arg, int is_fg) 36 bv->fm += 2; /* skip over F{ */ 37 if ((ep = strchr(bv->fm, '}'))) { 38 char oc = *ep, *col, *coll; 39+ int ops = opts[PROMPTSUBST], opb = opts[PROMPTBANG]; 40+ int opp = opts[PROMPTPERCENT]; 41+ 42+ opts[PROMPTPERCENT] = 1; 43+ opts[PROMPTSUBST] = opts[PROMPTBANG] = 0; 44+ 45 *ep = '\0'; 46 /* expand the contents of the argument so you can use 47 * %v for example */ 48@@ -252,6 +258,10 @@ parsecolorchar(zattr arg, int is_fg) 49 arg = match_colour((const char **)&coll, is_fg, 0); 50 free(col); 51 bv->fm = ep; 52+ 53+ opts[PROMPTSUBST] = ops; 54+ opts[PROMPTBANG] = opb; 55+ opts[PROMPTPERCENT] = opp; 56 } else { 57 arg = match_colour((const char **)&bv->fm, is_fg, 0); 58 if (*bv->fm != '}') 59-- 602.34.1 61