1. 21 Feb, 2022 2 commits
  2. 13 Feb, 2022 1 commit
    • Marc Cornellà's avatar
      fix: apply workaround patch for vcs_info (CVE-2021-45444) · ef3f7c43
      Marc Cornellà authored
      This lib function applies a patch to the VCS_INFO_formats function
      in zsh versions from v5.0.3 until v5.8, which don't quote % chars
      in some arguments received. Normally that just means that some
      % characters in these strings (branch names, directories, etc.)
      will be incorrectly parsed as formatting sequences.
      
      With CVE-2021-45444, however, this means that one of these strings
      from a malicious source (e.g. a malicious git repository) can
      trigger command injection and run arbitrary code in the user's
      machine when visiting such git repository.
      
      Zsh 5.8.1 fixes this vulnerability [1], but older vcs_info setups
      still need a workaround such as this one to patch the vulnerability.
      
      [1] https://github.com/zsh-users/zsh/commit/c3ea1e5d52eff8b7b172fa8c1ccc3462b43b2790
      ef3f7c43