* [Buildroot] [PATCH] package/zsh: security bump to version 5.8.1
@ 2022-02-18 13:30 Peter Korsgaard
2022-02-20 19:22 ` Peter Korsgaard
0 siblings, 1 reply; 3+ messages in thread
From: Peter Korsgaard @ 2022-02-18 13:30 UTC (permalink / raw)
To: buildroot; +Cc: Phil Eichinger
Fixes the following security issue:
- CVE-2021-45444: In zsh before 5.8.1, an attacker can achieve code
execution if they control a command output inside the prompt, as
demonstrated by a %F argument. This occurs because of recursive
PROMPT_SUBST expansion.
The 5.8.1 release is not listed in MD5SUM, so drop the md5 hash.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/zsh/zsh.hash | 6 +-----
package/zsh/zsh.mk | 2 +-
2 files changed, 2 insertions(+), 6 deletions(-)
diff --git a/package/zsh/zsh.hash b/package/zsh/zsh.hash
index 2df409c946..5c661ded25 100644
--- a/package/zsh/zsh.hash
+++ b/package/zsh/zsh.hash
@@ -1,7 +1,3 @@
-# From http://www.zsh.org/pub/MD5SUM
-md5 e02a5428620b3dd268800c7843b3dd4d zsh-5.8.tar.xz
-# Calculated based on the hash above and after checking signature
-# http://www.zsh.org/pub/zsh-5.8.tar.xz.asc
-sha256 dcc4b54cc5565670a65581760261c163d720991f0d06486da61f8d839b52de27 zsh-5.8.tar.xz
# Locally calculated
+sha256 b6973520bace600b4779200269b1e5d79e5f505ac4952058c11ad5bbf0dd9919 zsh-5.8.1.tar.xz
sha256 d06fdf3ef9b1ec69d6b9e170b0a9516fbad3523261ff1668bde3bfea6e0ef5f5 LICENCE
diff --git a/package/zsh/zsh.mk b/package/zsh/zsh.mk
index 1a04833211..c5ab7c2fae 100644
--- a/package/zsh/zsh.mk
+++ b/package/zsh/zsh.mk
@@ -4,7 +4,7 @@
#
################################################################################
-ZSH_VERSION = 5.8
+ZSH_VERSION = 5.8.1
ZSH_SITE = http://www.zsh.org/pub
ZSH_SOURCE = zsh-$(ZSH_VERSION).tar.xz
ZSH_DEPENDENCIES = ncurses
--
2.20.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH] package/zsh: security bump to version 5.8.1
2022-02-18 13:30 [Buildroot] [PATCH] package/zsh: security bump to version 5.8.1 Peter Korsgaard
@ 2022-02-20 19:22 ` Peter Korsgaard
2022-03-10 21:47 ` Peter Korsgaard
0 siblings, 1 reply; 3+ messages in thread
From: Peter Korsgaard @ 2022-02-20 19:22 UTC (permalink / raw)
To: buildroot; +Cc: Phil Eichinger
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Fixes the following security issue:
> - CVE-2021-45444: In zsh before 5.8.1, an attacker can achieve code
> execution if they control a command output inside the prompt, as
> demonstrated by a %F argument. This occurs because of recursive
> PROMPT_SUBST expansion.
> The 5.8.1 release is not listed in MD5SUM, so drop the md5 hash.
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH] package/zsh: security bump to version 5.8.1
2022-02-20 19:22 ` Peter Korsgaard
@ 2022-03-10 21:47 ` Peter Korsgaard
0 siblings, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2022-03-10 21:47 UTC (permalink / raw)
To: buildroot; +Cc: Phil Eichinger
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
>> Fixes the following security issue:
>> - CVE-2021-45444: In zsh before 5.8.1, an attacker can achieve code
>> execution if they control a command output inside the prompt, as
>> demonstrated by a %F argument. This occurs because of recursive
>> PROMPT_SUBST expansion.
>> The 5.8.1 release is not listed in MD5SUM, so drop the md5 hash.
>> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed to 2021.02.x and 2021.11.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-03-10 21:47 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-02-18 13:30 [Buildroot] [PATCH] package/zsh: security bump to version 5.8.1 Peter Korsgaard
2022-02-20 19:22 ` Peter Korsgaard
2022-03-10 21:47 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.