diff options
| author | Marc Cornellà <hello@mcornella.com> | 2022-02-13 18:59:27 +0100 | 
|---|---|---|
| committer | Marc Cornellà <hello@mcornella.com> | 2022-02-13 19:07:12 +0100 | 
| commit | ef3f7c43a91eb2c90098843b0ee9193bb52cdc96 (patch) | |
| tree | 1e0aa574ad1ff4b4840d58d110284a2424d18d8b /plugins/stack | |
| parent | 02b52a03a5a78362c57d75c507240f69d4260d9a (diff) | |
| download | zsh-ef3f7c43a91eb2c90098843b0ee9193bb52cdc96.tar.gz zsh-ef3f7c43a91eb2c90098843b0ee9193bb52cdc96.tar.bz2 zsh-ef3f7c43a91eb2c90098843b0ee9193bb52cdc96.zip | |
fix: apply workaround patch for vcs_info (CVE-2021-45444)
This lib function applies a patch to the VCS_INFO_formats function
in zsh versions from v5.0.3 until v5.8, which don't quote % chars
in some arguments received. Normally that just means that some
% characters in these strings (branch names, directories, etc.)
will be incorrectly parsed as formatting sequences.
With CVE-2021-45444, however, this means that one of these strings
from a malicious source (e.g. a malicious git repository) can
trigger command injection and run arbitrary code in the user's
machine when visiting such git repository.
Zsh 5.8.1 fixes this vulnerability [1], but older vcs_info setups
still need a workaround such as this one to patch the vulnerability.
[1] https://github.com/zsh-users/zsh/commit/c3ea1e5d52eff8b7b172fa8c1ccc3462b43b2790
Diffstat (limited to 'plugins/stack')
0 files changed, 0 insertions, 0 deletions
