From df7f4da0f663ccb2a9362e30415ff151e60338e74d6fc63563dab62f21fca339 Mon Sep 17 00:00:00 2001
From: Paolo Perego <paolo.perego@suse.com>
Date: Fri, 25 Mar 2022 11:28:53 +0000
Subject: [PATCH] Accepting request 963340 from home:dirkmueller:Factory
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- update to 5.8.1 (bsc#1196435, CVE-2021-45444):
  * CVE-2021-45444: Some prompt expansion sequences, such as %F, support
    'arguments' which are themselves expanded in case they contain colour
    values, etc. This additional expansion would trigger PROMPT_SUBST
    evaluation, if enabled. This could be abused to execute code the user
    didn't expect. e.g., given a certain prompt configuration, an attacker
    could trick a user into executing arbitrary code by having them check
    out a Git branch with a specially crafted name.
    This is fixed in the shell itself by no longer performing PROMPT_SUBST
    evaluation on these prompt-expansion arguments.
    Users who are concerned about an exploit but unable to update their
    binaries may apply the partial work-around described in the file
    Etc/CVE-2021-45444-VCS_Info-workaround.patch included with the shell
    source. [ Reported by RyotaK <security@ryotak.me>. Additional thanks to
    Marc Cornellà <hello@mcornella.com>. ]

OBS-URL: https://build.opensuse.org/request/show/963340
OBS-URL: https://build.opensuse.org/package/show/shells/zsh?expand=0&rev=232
---
 zsh-5.8.1.tar.xz     |  3 +++
 zsh-5.8.1.tar.xz.asc | 11 +++++++++++
 zsh-5.8.tar.xz       |  3 ---
 zsh-5.8.tar.xz.asc   | 11 -----------
 zsh.changes          | 21 +++++++++++++++++++++
 zsh.spec             |  4 ++--
 6 files changed, 37 insertions(+), 16 deletions(-)
 create mode 100644 zsh-5.8.1.tar.xz
 create mode 100644 zsh-5.8.1.tar.xz.asc
 delete mode 100644 zsh-5.8.tar.xz
 delete mode 100644 zsh-5.8.tar.xz.asc

diff --git a/zsh-5.8.1.tar.xz b/zsh-5.8.1.tar.xz
new file mode 100644
index 0000000..6d6b4a9
--- /dev/null
+++ b/zsh-5.8.1.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b6973520bace600b4779200269b1e5d79e5f505ac4952058c11ad5bbf0dd9919
+size 3200540
diff --git a/zsh-5.8.1.tar.xz.asc b/zsh-5.8.1.tar.xz.asc
new file mode 100644
index 0000000..8597690
--- /dev/null
+++ b/zsh-5.8.1.tar.xz.asc
@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCAAdFiEEfKfsqvBiFrkPiUFGrPgUbK6Mu8QFAmIHy2YACgkQrPgUbK6M
+u8RlaAgAxhHK9+kn+yzsS2/eED+VjLjCNcyPqdVdBl+bS4xeN5v2Ga0D36TfYJ4J
+3n6INHTeR8gpocFyY5RRxZcDeGPtsPV4JQlmAJMa43piLP1LZvbgKAVeooWWeIKk
+JMzXXAKWhZQ2+IG+OXlLNaHSLy6YBJ//Kj3lUkI7NHLSjOhce9ER1QwrHyeHmsKV
+RmjeKlu4gwCPtXGgRmRihnIYJNI38db9Hc2vjunasGaM30l+8ymeVBjH395EDXL7
+bfn8Vb0rN6TQY5q+4kVkG9J6m7kfgozcbCuiygsDG7zPdbI6Iwgzx+WmMoKWFfX6
+y5MZIeVwkWUscDcghU8uUhQ2mu3pmw==
+=2cR1
+-----END PGP SIGNATURE-----
diff --git a/zsh-5.8.tar.xz b/zsh-5.8.tar.xz
deleted file mode 100644
index 77b0e94..0000000
--- a/zsh-5.8.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:dcc4b54cc5565670a65581760261c163d720991f0d06486da61f8d839b52de27
-size 3193284
diff --git a/zsh-5.8.tar.xz.asc b/zsh-5.8.tar.xz.asc
deleted file mode 100644
index 0b84023..0000000
--- a/zsh-5.8.tar.xz.asc
+++ /dev/null
@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCAAdFiEEfKfsqvBiFrkPiUFGrPgUbK6Mu8QFAl5HHTEACgkQrPgUbK6M
-u8Ttmwf/U1HoG30yYZ4m3yxFZ8QGI0WwnV7/IAQ4rMBWo+31yijLrwnl8+WILVfi
-gRzskwTrVmLjklT4hnv3aSyO1KtQMDImCYw01JbK801JCnCRRRTKVTC69S1TQ9FI
-mp+GB+QemYAdDRZwIlZcuVmhL7MJS0IWZiwqzlvqyKGG4MCrzqPqKO3s/JgMisUG
-KLHZJWoUWidYfmuwkPRKXN+dcnZUF4B/jJbNwLRGhvySzpT6pAwI2SBWak+vUbs/
-UKal6pOHYv1zalMrh5as2/hAo4Rjpsgn0zRGiFsn5Ys9srB6XKhXifUP6d1g3cRj
-lH9B3QGrd1oh7u8IOjU29F8+DeeU+g==
-=+BhZ
------END PGP SIGNATURE-----
diff --git a/zsh.changes b/zsh.changes
index 97e0324..47810e7 100644
--- a/zsh.changes
+++ b/zsh.changes
@@ -1,3 +1,24 @@
+-------------------------------------------------------------------
+Sun Mar 20 20:03:32 UTC 2022 - Dirk Müller <dmueller@suse.com>
+
+- update to 5.8.1 (bsc#1196435, CVE-2021-45444):
+  * CVE-2021-45444: Some prompt expansion sequences, such as %F, support
+    'arguments' which are themselves expanded in case they contain colour
+    values, etc. This additional expansion would trigger PROMPT_SUBST
+    evaluation, if enabled. This could be abused to execute code the user
+    didn't expect. e.g., given a certain prompt configuration, an attacker
+    could trick a user into executing arbitrary code by having them check
+    out a Git branch with a specially crafted name.
+
+    This is fixed in the shell itself by no longer performing PROMPT_SUBST
+    evaluation on these prompt-expansion arguments.
+
+    Users who are concerned about an exploit but unable to update their
+    binaries may apply the partial work-around described in the file
+    Etc/CVE-2021-45444-VCS_Info-workaround.patch included with the shell
+    source. [ Reported by RyotaK <security@ryotak.me>. Additional thanks to
+    Marc Cornellà <hello@mcornella.com>. ] 
+
 -------------------------------------------------------------------
 Fri Oct 16 10:27:34 UTC 2020 - Ludwig Nussel <lnussel@suse.de>
 
diff --git a/zsh.spec b/zsh.spec
index 532cb94..63c1d37 100644
--- a/zsh.spec
+++ b/zsh.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package zsh
 #
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -25,7 +25,7 @@ BuildRequires:  texi2html
 BuildRequires:  texinfo
 %endif
 Name:           zsh
-Version:        5.8
+Version:        5.8.1
 Release:        0%{?dist}
 Summary:        Shell with comprehensive completion
 License:        MIT