diff options
author | kim <kim@pkgsrc.org> | 2022-03-12 06:07:48 +0000 |
---|---|---|
committer | kim <kim@pkgsrc.org> | 2022-03-12 06:07:48 +0000 |
commit | 709e851dab2ef303e5a74ae18441b04ef9c87c33 (patch) | |
tree | 708923c56457df226ba06b58966f7ba2690ba896 /graphics | |
parent | 6ce368a1e76298f4a6d776634e77d5ee73e72388 (diff) | |
download | pkgsrc-709e851dab2ef303e5a74ae18441b04ef9c87c33.tar.gz |
shells/zsh: Update to 5.8.1
Changes between 5.8 and 5.8.1
Incompatibilities
PROMPT_SUBST expansion is no longer performed on arguments to
prompt-expansion sequences such as %F.
Changes
CVE-2021-45444: Some prompt expansion sequences, such as %F,
support 'arguments' which are themselves expanded in case they
contain colour values, etc. This additional expansion would trigger
PROMPT_SUBST evaluation, if enabled. This could be abused to
execute code the user didn't expect. e.g., given a certain prompt
configuration, an attacker could trick a user into executing
arbitrary code by having them check out a Git branch with a
specially crafted name.
This is fixed in the shell itself by no longer performing
PROMPT_SUBST evaluation on these prompt-expansion arguments.
Users who are concerned about an exploit but unable to update their
binaries may apply the partial work-around described in the file
Etc/CVE-2021-45444-VCS_Info-workaround.patch included with the shell
source. [ Reported by RyotaK. Additional thanks to Marc Cornellà. ]
Diffstat (limited to 'graphics')
0 files changed, 0 insertions, 0 deletions