fix: apply workaround patch for vcs_info (CVE-2021-45444) - zsh.git - Unnamed repository; edit this file 'description' to name the repository.

diff options

author	Marc Cornellà <hello@mcornella.com>	2022-02-13 18:59:27 +0100
committer	Marc Cornellà <hello@mcornella.com>	2022-02-13 19:07:12 +0100
commit	ef3f7c43a91eb2c90098843b0ee9193bb52cdc96 (patch)
tree	1e0aa574ad1ff4b4840d58d110284a2424d18d8b /plugins/capistrano
parent	02b52a03a5a78362c57d75c507240f69d4260d9a (diff)
download	zsh-ef3f7c43a91eb2c90098843b0ee9193bb52cdc96.tar.gz zsh-ef3f7c43a91eb2c90098843b0ee9193bb52cdc96.tar.bz2 zsh-ef3f7c43a91eb2c90098843b0ee9193bb52cdc96.zip

fix: apply workaround patch for vcs_info (CVE-2021-45444)

This lib function applies a patch to the VCS_INFO_formats function in zsh versions from v5.0.3 until v5.8, which don't quote % chars in some arguments received. Normally that just means that some % characters in these strings (branch names, directories, etc.) will be incorrectly parsed as formatting sequences. With CVE-2021-45444, however, this means that one of these strings from a malicious source (e.g. a malicious git repository) can trigger command injection and run arbitrary code in the user's machine when visiting such git repository. Zsh 5.8.1 fixes this vulnerability [1], but older vcs_info setups still need a workaround such as this one to patch the vulnerability. [1] https://github.com/zsh-users/zsh/commit/c3ea1e5d52eff8b7b172fa8c1ccc3462b43b2790

Diffstat (limited to 'plugins/capistrano')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: