- update to 5.8.1 (bsc#1196435, CVE-2021-45444):
* CVE-2021-45444: Some prompt expansion sequences, such as %F, support
'arguments' which are themselves expanded in case they contain colour
values, etc. This additional expansion would trigger PROMPT_SUBST
evaluation, if enabled. This could be abused to execute code the user
didn't expect. e.g., given a certain prompt configuration, an attacker
could trick a user into executing arbitrary code by having them check
out a Git branch with a specially crafted name.
This is fixed in the shell itself by no longer performing PROMPT_SUBST
evaluation on these prompt-expansion arguments.
Users who are concerned about an exploit but unable to update their
binaries may apply the partial work-around described in the file
Etc/CVE-2021-45444-VCS_Info-workaround.patch included with the shell
source. [ Reported by RyotaK <security@ryotak.me>. Additional thanks to
Marc Cornellà <hello@mcornella.com>. ]
OBS-URL: https://build.opensuse.org/request/show/963340
OBS-URL: https://build.opensuse.org/package/show/shells/zsh?expand=0&rev=232
parsing when an unrecognised option-like parameter is encountered.
* The zsh/files module gained a chmod builtin.
* Several changes have been made to the way completion functions track
'precommands' (such as `command` and `env`) and determine whether the
command being completed for is a shell builtin. Developers of completion
functions may wish to familiarise themselves with `_normal -p` and
`_pick_variant -b`.
* The option CD_SILENT was added to suppress all output from cd (whether
explicit or implicit with AUTO_CD). It is disabled by default.
* The compadd builtin's -o option now takes an optional argument to
specify the order of completion matches. This affects the display
of candidate matches and the order in which they are selected when
cycling between them using menu completion.
* The :h and :t modifiers in parameter expansion (if braces are present),
glob qualifiers and history expansion may take following decimal digit
arguments in order to keep that many leading or trailing path components
instead of the defaults of all but one (:h) and one (:t). In an absolute
path the leading '/' counts as one component.
* The functions builtin gained a -c option to efficiently copy functions.
- See included ChangeLog for the complete list of changes.
OBS-URL: https://build.opensuse.org/package/show/shells/zsh?expand=0&rev=208
- Update to version 5.7
* Support for 24-bit true color terminals has been added.
Hex triplets can be used when specifying colours for prompts
and line editor highlighting. On 88 and 256 colour terminals,
a new zsh/nearcolor module allows colours specified with hex
triplets to be matched against the nearest available colour.
* The zsh/datetime module's strftime builtin now accepts an
argument specifying the nanoseconds time component; both
arguments can be omitted to use the current time.
OBS-URL: https://build.opensuse.org/request/show/668614
OBS-URL: https://build.opensuse.org/package/show/shells/zsh?expand=0&rev=204
- Update to 5.5
* The effect of the NO_INTERACTIVE_COMMENTS option extends into $(...)
and `...` command substitutions when used on the command line.
* Dropped patches, which are included upstream now:
- zsh-CVE-2018-1071.patch
- zsh-CVE-2018-1083.patch
* Fixes a buffer overflow in utils.c:checkmailpath() that can lead to
local arbitrary code execution (CVE-2018-1100 bnc#1089030)
- Added zsh-CVE-2018-1071.patch: Fixed a stack-based buffer overflow
in exec.c:hashcmd() (CVE-2018-1071 bnc#1084656)
- Added zsh-CVE-2018-1083.patch: Fixed a stack-based buffer overflow
in gen_matches_files() at compctl.c (CVE-2018-1083 bnc#1087026)
- Cleaned up spec file with spec-cleaner
OBS-URL: https://build.opensuse.org/request/show/595518
OBS-URL: https://build.opensuse.org/package/show/shells/zsh?expand=0&rev=186
- Updated to 5.4.2
* The 'exec' and 'command' precommand modifiers, and options to
them, are now parsed after parameter expansion.
* Functions executed by ZLE widgets no longer have their standard
input closed, but redirected from /dev/null instead.
* There is an option WARN_NESTED_VAR, a companion to the existing
WARN_CREATE_GLOBAL that causes a warning if a function updates a
variable from an enclosing scope without using typeset -g.
* zmodload now has an option -s to be silent on a failure to find
a module but still print other errors.
- Dropped patch merged upstream:
* fix-patchutils-completion.patch
OBS-URL: https://build.opensuse.org/request/show/580579
OBS-URL: https://build.opensuse.org/package/show/shells/zsh?expand=0&rev=184
* Unicode9 support, this needs support from your terminal to
work correctly.
* The new word modifier ':P' computes the physical path of the
argument.
* The output of "typeset -p" uses "export" commands or the "-g"
option for parameters that are not local to the current scope.
* vi-repeat-change can repeat user-defined widgets if the widget
calls zle -f vichange.
* The parameter $registers now makes the contents of vi register
buffers available to user-defined widgets.
* New vi-up-case and vi-down-case builtin widgets bound to gU/gu
(or U/u in visual mode) for doing case conversion.
* A new select-word-match function provides vim-style text objects
with configurable word boundaries using the existing
match-words-by-style mechanism.
* Support for the conditional expression [[ -v var ]] to test if a
variable is set for compatibility with other shells.
* The print and printf builtins have a new option -v to assign the
output to a variable.
* New x: syntax in completion match specifications make it possible
to disable match specifications hardcoded in completion functions.
- Re-add custom zshrc and zshenv to unbreak compatibility with old
usage (boo#998858).
OBS-URL: https://build.opensuse.org/package/show/shells/zsh?expand=0&rev=177
* The new module zsh/param/private can be loaded to allow the shell
to define parameters that are private to a function scope (i.e. are
not propagated to nested functions called within this function).
* The GLOB_STAR_SHORT option allows the pattern **/* to be shortened to
just ** if no / follows. so **.c searches recursively for a file whose
name has the suffix ".c".
* The effect of the WARN_CREATE_GLOBAL option has been significantly
extended, so expect it to cause additional warning messages about
parameters created globally within function scope.
OBS-URL: https://build.opensuse.org/package/show/shells/zsh?expand=0&rev=166
* The print builtin has new options -x and -X to expand tabs.
* Several new command completions and numerous updates to others.
* Options to "fc" to segregate internal and shared history.
* All emulations including "sh" use multibyte by default; several
repairs to multibyte handling.
* ZLE supports "bracketed paste" mode to avoid interpreting pasted
newlines as accept-line. Pastes can be highlighted for visibility
and to make it more obvious whether accept-line has occurred.
* Improved (though still not perfect) POSIX compatibility for getopts
builtin when POSIX_BUILTINS is set.
* New setopt APPEND_CREATE for POSIX-compatible NO_CLOBBER behavior.
* Completion of date values now displays in a calendar format when
the complist module is available. Controllable by zstyle.
* New parameter UNDO_LIMIT_NO for more control over ZLE undo repeat.
* Several repairs/improvements to the contributed narrow-to-region
ZLE function.
* Many changes to child-process and signal handling to eliminate race
conditions and avoid deadlocks on descriptor and memory management.
* New builtin sysopen in zsh/system module for detailed control of
file descriptor modes.
- Remove printf-regress.patch, upstream.
OBS-URL: https://build.opensuse.org/package/show/shells/zsh?expand=0&rev=158
separators (";", "&", "|", "&&", "||"), redirection operators, etc.
* There have been various further improvements to builtin handling
with the POSIX_BUILTINS option (off by default) for compatibility with
the POSIX standard.
* 'whence -v' is now more informative, and 'whence -S' shows you
how a full chain of symbolic links resolves to a command.
* The 'p' parameter flag now allows an argument to be specified
as a reference to a variable, e.g. ${(ps.$sep.)foo} to split $foo
on a string given by $sep.
* The option FORCE_FLOAT now forces variables, not just constants,
to floating point in arithmetic expressions.
* The type of an assignment in arithmetic expressions, e.g. the
type seen by the variable res in $(( res = a = b )), is now
more logical and C-like.
* The default binding of 'u' in vi command mode has changed to undo
multiple changes when invoked repeatedly. '^R' is now bound to redo
changes. To revert to toggling of the last edit use:
bindkey -a u vi-undo-change
* Compatibility with Vim has been improved for vi editing mode. Most
notably, Vim style text objects are supported and the region can be
manipulated with vi commands in the same manner as Vim's visual mode.
* Elements of the watch variable may now be patterns.
* The logic for retrying history locking has been improved.
OBS-URL: https://build.opensuse.org/package/show/shells/zsh?expand=0&rev=154