From ef3f7c43a91eb2c90098843b0ee9193bb52cdc96 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc=20Cornell=C3=A0?= Date: Sun, 13 Feb 2022 18:59:27 +0100 Subject: [PATCH] fix: apply workaround patch for vcs_info (CVE-2021-45444) This lib function applies a patch to the VCS_INFO_formats function in zsh versions from v5.0.3 until v5.8, which don't quote % chars in some arguments received. Normally that just means that some % characters in these strings (branch names, directories, etc.) will be incorrectly parsed as formatting sequences. With CVE-2021-45444, however, this means that one of these strings from a malicious source (e.g. a malicious git repository) can trigger command injection and run arbitrary code in the user's machine when visiting such git repository. Zsh 5.8.1 fixes this vulnerability [1], but older vcs_info setups still need a workaround such as this one to patch the vulnerability. [1] https://github.com/zsh-users/zsh/commit/c3ea1e5d52eff8b7b172fa8c1ccc3462b43b2790 --- lib/vcs_info.zsh | 50 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 lib/vcs_info.zsh diff --git a/lib/vcs_info.zsh b/lib/vcs_info.zsh new file mode 100644 index 000000000..01dcd90b6 --- /dev/null +++ b/lib/vcs_info.zsh @@ -0,0 +1,50 @@ +# Impacted versions go from v5.0.3 to v5.8 (v5.8.1 is the first patched version) +autoload -Uz is-at-least +if is-at-least 5.8.1 || ! is-at-least 5.0.3; then + return +fi + +# Quote necessary $hook_com[] items just before they are used +# in the line "VCS_INFO_hook 'post-backend'" of the VCS_INFO_formats +# function, where is: +# +# base: the full path of the repository's root directory. +# base-name: the name of the repository's root directory. +# branch: the name of the currently checked out branch. +# misc: a string that may contain anything the vcs_info backend wants. +# revision: an identifier of the currently checked out revision. +# subdir: the path of the current directory relative to the +# repository's root directory. +# +# This patch %-quotes these fields previous to their use in vcs_info hooks and +# the zformat call and, eventually, when they get expanded in the prompt. +# It's important to quote these here, and not later after hooks have modified the +# fields, because then we could be quoting % characters from valid prompt sequences, +# like %F{color}, %B, etc. +# +# 32 │ hook_com[subdir]="$(VCS_INFO_reposub ${hook_com[base]})" +# 33 │ hook_com[subdir_orig]="${hook_com[subdir]}" +# 34 │ +# 35 + │ for tmp in base base-name branch misc revision subdir; do +# 36 + │ hook_com[$tmp]="${hook_com[$tmp]//\%/%%}" +# 37 + │ done +# 38 + │ +# 39 │ VCS_INFO_hook 'post-backend' +# +# This is especially important so that no command substitution is performed +# due to malicious input as a consequence of CVE-2021-45444, which affects +# zsh versions from 5.0.3 to 5.8. +# +autoload -Uz +X regexp-replace VCS_INFO_formats + +# We use $tmp here because it's already a local variable in VCS_INFO_formats +typeset PATCH='for tmp (base base-name branch misc revision subdir) hook_com[$tmp]="${hook_com[$tmp]//\%/%%}"' +# Unique string to avoid reapplying the patch if this code gets called twice +typeset PATCH_ID=vcs_info-patch-9b9840f2-91e5-4471-af84-9e9a0dc68c1b +# Only patch the VCS_INFO_formats function if not already patched +if [[ "$functions[VCS_INFO_formats]" != *$PATCH_ID* ]]; then + regexp-replace 'functions[VCS_INFO_formats]' \ + "VCS_INFO_hook 'post-backend'" \ + ': ${PATCH_ID}; ${PATCH}; ${MATCH}' +fi +unset PATCH PATCH_ID