!19 fix CVE-2021-45444

From: @jlwwlsqc 
Reviewed-by: @overweight 
Signed-off-by: @overweight

0225-44345-fix-wordcode-traversal-where-without-a-followi.patch

@@ -1,79 +0,0 @@
-From a531a1ec2dce97c1507a45abd4795b1aea1edc9e Mon Sep 17 00:00:00 2001
-From: Oliver Kiddle <okiddle@yahoo.co.uk>
-Date: Thu, 23 May 2019 01:05:01 +0200
-Subject: [PATCH 225/262] 44345: fix wordcode traversal where ! without a
- following command could result in a crash
-
----
- ChangeLog            |  5 +++++
- Src/text.c           |  9 +++++++--
- Test/A01grammar.ztst | 33 +++++++++++++++++++++++++++++++++
- 3 files changed, 45 insertions(+), 2 deletions(-)
-
-diff --git a/Src/text.c b/Src/text.c
-index 3658b1bc6..a4191bf1a 100644
---- a/Src/text.c
-+++ b/Src/text.c
-@@ -470,8 +470,13 @@ gettext2(Estate state)
- 			    " || " : " && ");
- 		    s->code = *state->pc++;
- 		    s->pop = (WC_SUBLIST_TYPE(s->code) == WC_SUBLIST_END);
--		    if (WC_SUBLIST_FLAGS(s->code) & WC_SUBLIST_NOT)
--			taddstr("! ");
-+		    if (WC_SUBLIST_FLAGS(s->code) & WC_SUBLIST_NOT) {
-+			if (WC_SUBLIST_SKIP(s->code) == 0)
-+			    stack = 1;
-+			taddstr((stack || (!(WC_SUBLIST_FLAGS(s->code) &
-+			        WC_SUBLIST_SIMPLE) && wc_code(*state->pc) !=
-+			        WC_PIPE)) ? "!" : "! ");
-+		    }
- 		    if (WC_SUBLIST_FLAGS(s->code) & WC_SUBLIST_COPROC)
- 			taddstr("coproc ");
- 		}
-diff --git a/Test/A01grammar.ztst b/Test/A01grammar.ztst
-index 1ed3cb6b7..c8600d4cb 100644
---- a/Test/A01grammar.ztst
-+++ b/Test/A01grammar.ztst
-@@ -76,6 +76,39 @@
- 0:Basic current shell list with error
- >false
- 
-+  fn() { : && ! ; : }
-+  functions -x3 fn
-+  fn
-+0:End of sublist containing ! with no command
-+>fn () {
-+>   : && !
-+>   :
-+>}
-+
-+  if [[ m -eq y ]]; then
-+    : && !
-+    :
-+  fi
-+0:! followed by no further commands
-+
-+  fn() { ! {!} && ! (!) || ! {!} }
-+  functions -x2 fn
-+  fn
-+0:exclamation marks without following commands
-+>fn () {
-+>  ! {
-+>    !
-+>  } && ! (
-+>    !
-+>  ) || ! {
-+>    !
-+>  }
-+>}
-+
-+  ! | true
-+1:! followed by no command but by a pipe
-+?(eval):1: parse error near `|'
-+
- #
- # Tests for `Precommand Modifiers'
- #
--- 
-2.19.1
-

backport-CVE-2021-45444-1.patch

@@ -0,0 +1,42 @@
+From c187154f47697cdbf822c2f9d714d570ed4a0fd1 Mon Sep 17 00:00:00 2001
+From: Oliver Kiddle <opk@zsh.org>
+Date: Wed, 15 Dec 2021 01:56:40 +0100
+Subject: [PATCH] security/41: Don't perform PROMPT_SUBST evaluation on %F/%K
+ arguments
+
+Mitigates CVE-2021-45444
+---
+ Src/prompt.c | 10 ++++++++++
+ 1 files changed, 10 insertions(+)
+
+diff --git a/Src/prompt.c b/Src/prompt.c
+index b65bfb8..91e21c8 100644
+--- a/Src/prompt.c
++++ b/Src/prompt.c
+@@ -244,6 +244,12 @@ parsecolorchar(zattr arg, int is_fg)
+ 	bv->fm += 2; /* skip over F{ */
+ 	if ((ep = strchr(bv->fm, '}'))) {
+ 	    char oc = *ep, *col, *coll;
++	    int ops = opts[PROMPTSUBST], opb = opts[PROMPTBANG];
++	    int opp = opts[PROMPTPERCENT];
++
++	    opts[PROMPTPERCENT] = 1;
++	    opts[PROMPTSUBST] = opts[PROMPTBANG] = 0;
++
+ 	    *ep = '\0';
+ 	    /* expand the contents of the argument so you can use
+ 	     * %v for example */
+@@ -252,6 +258,10 @@ parsecolorchar(zattr arg, int is_fg)
+ 	    arg = match_colour((const char **)&coll, is_fg, 0);
+ 	    free(col);
+ 	    bv->fm = ep;
++
++	    opts[PROMPTSUBST] = ops;
++	    opts[PROMPTBANG] = opb;
++	    opts[PROMPTPERCENT] = opp;
+ 	} else {
+ 	    arg = match_colour((const char **)&bv->fm, is_fg, 0);
+ 	    if (*bv->fm != '}')
+-- 
+1.8.3.1
+

backport-CVE-2021-45444-2.patch

@@ -0,0 +1,98 @@
+From 972887bbe5eb6a00e5f0e73781d6d73bfdcafb93 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc=20Cornell=C3=A0?= <hello@mcornella.com>
+Date: Mon, 24 Jan 2022 09:43:28 +0100
+Subject: [PATCH] security/89: Partially work around CVE-2021-45444 in VCS_Info
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch is a partial, VCS_Info-specific work-around for CVE-2021-45444,
+which is mitigated in the shell itself in 5.8.1 and later versions. It is
+offered for users who are concerned about an exploit but are unable to update
+their binaries to receive the complete fix.
+
+The patch works around the vulnerability by pre-escaping values substituted
+into format strings in VCS_Info. Please note that this may break some user
+configurations that rely on those values being un-escaped (which is why it was
+not included directly in 5.8.1). It may be possible to limit this breakage by
+adjusting exactly which ones are pre-escaped, but of course this may leave
+them vulnerable again.
+
+If applying the patch to the file system is inconvenient or not possible, the
+following script can be used to idempotently patch the relevant function
+running in memory (and thus must be re-run when the shell is restarted):
+
+
+# Impacted versions go from v5.0.3 to v5.8 (v5.8.1 is the first patched version)
+autoload -Uz is-at-least
+if is-at-least 5.8.1 || ! is-at-least 5.0.3; then
+  return
+fi
+
+# Quote necessary $hook_com[<field>] items just before they are used
+# in the line "VCS_INFO_hook 'post-backend'" of the VCS_INFO_formats
+# function, where <field> is:
+#
+#   base:       the full path of the repository's root directory.
+#   base-name:  the name of the repository's root directory.
+#   branch:     the name of the currently checked out branch.
+#   revision:   an identifier of the currently checked out revision.
+#   subdir:     the path of the current directory relative to the
+#               repository's root directory.
+#   misc:       a string that may contain anything the vcs_info backend wants.
+#
+# This patch %-quotes these fields previous to their use in vcs_info hooks and
+# the zformat call and, eventually, when they get expanded in the prompt.
+# It's important to quote these here, and not later after hooks have modified the
+# fields, because then we could be quoting % characters from valid prompt sequences,
+# like %F{color}, %B, etc.
+#
+#  32   │ hook_com[subdir]="$(VCS_INFO_reposub ${hook_com[base]})"
+#  33   │ hook_com[subdir_orig]="${hook_com[subdir]}"
+#  34   │
+#  35 + │ for tmp in base base-name branch misc revision subdir; do
+#  36 + │     hook_com[$tmp]="${hook_com[$tmp]//\%/%%}"
+#  37 + │ done
+#  38 + │
+#  39   │ VCS_INFO_hook 'post-backend'
+#
+# This is especially important so that no command substitution is performed
+# due to malicious input as a consequence of CVE-2021-45444, which affects
+# zsh versions from 5.0.3 to 5.8.
+#
+autoload -Uz +X regexp-replace VCS_INFO_formats
+
+# We use $tmp here because it's already a local variable in VCS_INFO_formats
+typeset PATCH='for tmp (base base-name branch misc revision subdir) hook_com[$tmp]="${hook_com[$tmp]//\%/%%}"'
+# Unique string to avoid reapplying the patch if this code gets called twice
+typeset PATCH_ID=vcs_info-patch-9b9840f2-91e5-4471-af84-9e9a0dc68c1b
+# Only patch the VCS_INFO_formats function if not already patched
+if [[ "$functions[VCS_INFO_formats]" != *$PATCH_ID* ]]; then
+  regexp-replace 'functions[VCS_INFO_formats]' \
+    "VCS_INFO_hook 'post-backend'" \
+    ': ${PATCH_ID}; ${PATCH}; ${MATCH}'
+fi
+unset PATCH PATCH_ID
+
+
+---
+ Functions/VCS_Info/VCS_INFO_formats | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/Functions/VCS_Info/VCS_INFO_formats b/Functions/VCS_Info/VCS_INFO_formats
+index e0e1dc738..4d88e28b6 100644
+--- a/Functions/VCS_Info/VCS_INFO_formats
++++ b/Functions/VCS_Info/VCS_INFO_formats
+@@ -32,6 +32,10 @@ hook_com[base-name_orig]="${hook_com[base_name]}"
+ hook_com[subdir]="$(VCS_INFO_reposub ${hook_com[base]})"
+ hook_com[subdir_orig]="${hook_com[subdir]}"
+ 
++for tmp in base base-name branch misc revision subdir; do
++    hook_com[$tmp]="${hook_com[$tmp]//\%/%%}"
++done
++
+ VCS_INFO_hook 'post-backend'
+ 
+ ## description (for backend authors):
+-- 
+2.34.1

backport-Simplify-N-cond-test.patch

@@ -0,0 +1,67 @@
+From 80ddc46e54f6116235e68d3fc039ef775e72d1c5 Mon Sep 17 00:00:00 2001
+From: dana <dana@dana.is>
+Date: Wed, 11 Mar 2020 21:17:12 -0500
+Subject: [PATCH] 45470: C02cond: Simplify '-N cond' test
+
+This fixes an (intermittent?) issue with the test on macOS+APFS, and hopefully
+makes it simpler and faster in general
+---
+ Test/C02cond.ztst | 36 ++++++++++++------------------------
+ 1 files changed, 12 insertions(+), 24 deletions(-)
+
+diff --git a/Test/C02cond.ztst b/Test/C02cond.ztst
+index 4b1ec02f0..5b105b2a0 100644
+--- a/Test/C02cond.ztst
++++ b/Test/C02cond.ztst
+@@ -146,39 +146,27 @@
+ 
+ # can't be bothered with -S
+ 
+-  if [[ ${mtab::="$({mount || /sbin/mount || /usr/sbin/mount} 2>/dev/null)"} = *[(]?*[)] ]]; then
+-    print -u $ZTST_fd 'This test takes two seconds...'
+-  else
+-    unmodified_ls="$(ls -lu $unmodified)"
+-    print -u $ZTST_fd 'This test takes up to 60 seconds...'
+-  fi
+-  sleep 2
++  print -ru $ZTST_fd 'This test may take two seconds...'
+   touch $newnewnew
+   if [[ $OSTYPE == "cygwin" ]]; then
+     ZTST_skip="[[ -N file ]] not supported on Cygwin"
+   elif (( isnfs )); then
+     ZTST_skip="[[ -N file ]] not supported with NFS"
+-  elif { (( ! $+unmodified_ls )) &&
+-         cat $unmodified &&
+-         { df -k -- ${$(print -r -- "$mtab" |
+-                        awk '/noatime/ {print $1,$3}'):-""} | tr -s ' ' |
+-           fgrep -- "$(df -k . | tail -1 | tr -s ' ')" } >&/dev/null } ||
+-       { (( $+unmodified_ls )) && SECONDS=0 &&
+-         ! until (( SECONDS >= 58 )); do
+-             ZTST_hashmark; sleep 2; cat $unmodified
+-             [[ $unmodified_ls != "$(ls -lu $unmodified)" ]] && break
+-	   done }; then
+-    ZTST_skip="[[ -N file ]] not supported with noatime file system"
++  elif ! zmodload -F zsh/stat b:zstat 2> /dev/null; then
++    ZTST_skip='[[ -N file ]] not tested; zsh/stat not available'
++  elif ! { sleep 2; touch -a $unmodified 2> /dev/null }; then
++    ZTST_skip='[[ -N file ]] not tested; touch failed'
++  elif [[ "$(zstat +atime $unmodified)" == "$(zstat +mtime $unmodified)" ]]; then
++    ZTST_skip='[[ -N file ]] not supported on this file system'
+   else
+     [[ -N $newnewnew && ! -N $unmodified ]]
+   fi
+ 0:-N cond
+-F:This test can fail on NFS-mounted filesystems as the access and
+-F:modification times are not updated separately.  The test will fail
+-F:on HFS+ (Apple Mac OS X default) filesystems because access times
+-F:are not recorded.  Also, Linux ext3 filesystems may be mounted
+-F:with the noatime option which does not update access times.
+-F:Failures in these cases do not indicate a problem in the shell.
++F:This test relies on the file system supporting atime updates. It
++F:should automatically detect whether this is the case, and skip
++F:without failing if it isn't, but it's possible that some
++F:configurations may elude this detection. Please report this
++F:scenario if you encounter it.
+ 
+   [[ $newnewnew -nt $zlnfs && ! ($unmodified -nt $zlnfs) ]]
+ 0:-nt cond

zsh.spec

@@ -1,8 +1,8 @@
 %define _bindir /bin
 
 Name:                 zsh
-Version:              5.7.1
+Version:              5.8
-Release:              4
+Release:              3
 Summary:              A shell designed for interactive use
 License:              MIT
 URL:                  http://zsh.sourceforge.net
@@ -26,7 +26,9 @@ Requires(postun):     coreutils grep
 
 Provides:             /bin/zsh
 
-Patch6000: 0225-44345-fix-wordcode-traversal-where-without-a-followi.patch
+Patch0: backport-Simplify-N-cond-test.patch
+Patch1: backport-CVE-2021-45444-1.patch
+Patch2: backport-CVE-2021-45444-2.patch
 
 %description
 The zsh is a shell designed for interactive use, and it is also a powerful scripting language. Many of
@@ -52,7 +54,7 @@ sed -e 's|^\.NOTPARALLEL|#.NOTPARALLEL|' -i 'Config/defs.mk.in'
 %build
 %undefine _strict_symbol_defs_build
 
-export LIBLDFLAGS='-z lazy'
+export LIBLDFLAGS='-z lazy -fstack-protector-strong'
 
 %configure --enable-etcdir=%{_sysconfdir} --with-tcsetpgrp --enable-maildir-support --enable-pcre
 
@@ -130,6 +132,30 @@ fi
 %{_infodir}/*
 
 %changelog
+* Tue Mar 1 2022 wangjie <wangjie375@h-partners.com> - 5.8-3
+- Type: CVE
+- ID: CVE-2021-45444
+- SUG: NA
+- DESC: fix CVE-2021-45444
+
+* Sat Mar 20 2021 shenyangyang <shenyangyang4@huawei.com> - 5.8-2
+- Type:enhancement
+- ID:NA
+- SUG:NA
+- DESC:add -fstack-protector-strong for so file
+
+* Fri Jan 29 2021 zoulin <zoulin13@huawei.com> - 5.8-1
+- Type:enhancement
+- ID:NA
+- SUG:NA
+- DESC:update version to 5.8
+
+* Wed Jun 24 2020 xuping <xuping21@huawei.com> - 5.7.1-5
+- Type:cves
+- ID:CVE-2019-20044
+- SUG:NA
+- DESC:fix CVE-2019-20044
+
 * Thu Feb 6 2020 openEuler Buildteam <buildteam@openeuler.org> - 5.7.1-4
 - Type:enhancement
 - ID:NA

zsh.yaml

@@ -0,0 +1,4 @@
+version_control: git
+src_repo: "https://git.code.sf.net/p/zsh/code"
+tag_prefix: "^zsh-"
+seperator: