Accepting request 963340 from home:dirkmueller:Factory

- update to 5.8.1 (bsc#1196435, CVE-2021-45444): * CVE-2021-45444: Some prompt expansion sequences, such as %F, support 'arguments' which are themselves expanded in case they contain colour values, etc. This additional expansion would trigger PROMPT_SUBST evaluation, if enabled. This could be abused to execute code the user didn't expect. e.g., given a certain prompt configuration, an attacker could trick a user into executing arbitrary code by having them check out a Git branch with a specially crafted name. This is fixed in the shell itself by no longer performing PROMPT_SUBST evaluation on these prompt-expansion arguments. Users who are concerned about an exploit but unable to update their binaries may apply the partial work-around described in the file Etc/CVE-2021-45444-VCS_Info-workaround.patch included with the shell source. [ Reported by RyotaK <security@ryotak.me>. Additional thanks to Marc Cornellà <hello@mcornella.com>. ] OBS-URL: https://build.opensuse.org/request/show/963340 OBS-URL: https://build.opensuse.org/package/show/shells/zsh?expand=0&rev=232
2022-03-25 11:28:53 +00:00 · 2022-03-25 11:28:53 +00:00 · df7f4da0f6
commit df7f4da0f6
parent ebf2457ef1
6 changed files with 37 additions and 16 deletions
--- a/zsh-5.8.1.tar.xz
+++ b/zsh-5.8.1.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b6973520bace600b4779200269b1e5d79e5f505ac4952058c11ad5bbf0dd9919
+size 3200540
--- a/zsh-5.8.1.tar.xz.asc
+++ b/zsh-5.8.1.tar.xz.asc
@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCAAdFiEEfKfsqvBiFrkPiUFGrPgUbK6Mu8QFAmIHy2YACgkQrPgUbK6M
+u8RlaAgAxhHK9+kn+yzsS2/eED+VjLjCNcyPqdVdBl+bS4xeN5v2Ga0D36TfYJ4J
+3n6INHTeR8gpocFyY5RRxZcDeGPtsPV4JQlmAJMa43piLP1LZvbgKAVeooWWeIKk
+JMzXXAKWhZQ2+IG+OXlLNaHSLy6YBJ//Kj3lUkI7NHLSjOhce9ER1QwrHyeHmsKV
+RmjeKlu4gwCPtXGgRmRihnIYJNI38db9Hc2vjunasGaM30l+8ymeVBjH395EDXL7
+bfn8Vb0rN6TQY5q+4kVkG9J6m7kfgozcbCuiygsDG7zPdbI6Iwgzx+WmMoKWFfX6
+y5MZIeVwkWUscDcghU8uUhQ2mu3pmw==
+=2cR1
+-----END PGP SIGNATURE-----
--- a/zsh-5.8.tar.xz
+++ b/zsh-5.8.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:dcc4b54cc5565670a65581760261c163d720991f0d06486da61f8d839b52de27
-size 3193284
--- a/zsh-5.8.tar.xz.asc
+++ b/zsh-5.8.tar.xz.asc
@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQEzBAABCAAdFiEEfKfsqvBiFrkPiUFGrPgUbK6Mu8QFAl5HHTEACgkQrPgUbK6M
-u8Ttmwf/U1HoG30yYZ4m3yxFZ8QGI0WwnV7/IAQ4rMBWo+31yijLrwnl8+WILVfi
-gRzskwTrVmLjklT4hnv3aSyO1KtQMDImCYw01JbK801JCnCRRRTKVTC69S1TQ9FI
-mp+GB+QemYAdDRZwIlZcuVmhL7MJS0IWZiwqzlvqyKGG4MCrzqPqKO3s/JgMisUG
-KLHZJWoUWidYfmuwkPRKXN+dcnZUF4B/jJbNwLRGhvySzpT6pAwI2SBWak+vUbs/
-UKal6pOHYv1zalMrh5as2/hAo4Rjpsgn0zRGiFsn5Ys9srB6XKhXifUP6d1g3cRj
-lH9B3QGrd1oh7u8IOjU29F8+DeeU+g==
-=+BhZ
-----END PGP SIGNATURE-----
--- a/zsh.changes
+++ b/zsh.changes
@ -1,3 +1,24 @@
+-------------------------------------------------------------------
+Sun Mar 20 20:03:32 UTC 2022 - Dirk Müller <dmueller@suse.com>
+
+- update to 5.8.1 (bsc#1196435, CVE-2021-45444):
+  * CVE-2021-45444: Some prompt expansion sequences, such as %F, support
+    'arguments' which are themselves expanded in case they contain colour
+    values, etc. This additional expansion would trigger PROMPT_SUBST
+    evaluation, if enabled. This could be abused to execute code the user
+    didn't expect. e.g., given a certain prompt configuration, an attacker
+    could trick a user into executing arbitrary code by having them check
+    out a Git branch with a specially crafted name.
+
+    This is fixed in the shell itself by no longer performing PROMPT_SUBST
+    evaluation on these prompt-expansion arguments.
+
+    Users who are concerned about an exploit but unable to update their
+    binaries may apply the partial work-around described in the file
+    Etc/CVE-2021-45444-VCS_Info-workaround.patch included with the shell
+    source. [ Reported by RyotaK <security@ryotak.me>. Additional thanks to
+    Marc Cornellà <hello@mcornella.com>. ] 
+
 -------------------------------------------------------------------
 Fri Oct 16 10:27:34 UTC 2020 - Ludwig Nussel <lnussel@suse.de>

--- a/zsh.spec
+++ b/zsh.spec
@ -1,7 +1,7 @@
 #
 # spec file for package zsh
 #
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -25,7 +25,7 @@ BuildRequires:  texi2html
 BuildRequires:  texinfo
 %endif
 Name:           zsh
-Version:        5.8
+Version:        5.8.1
 Release:        0%{?dist}
 Summary:        Shell with comprehensive completion
 License:        MIT