Bug 30057

Summary: zsh new security issue CVE-2021-45444
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, mageia, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: zsh-5.8-3.mga8.src.rpm CVE:
Status comment:

Description David Walser 2022-02-16 22:45:18 CET 
Fedora has issued an advisory today (February 16):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2P3LPMGENEHKDWFO4MWMZSZL6G7Y4CV7/

The issue is fixed upstream in 5.8.1.

Mageia 8 is also affected.
David Walser 2022-02-16 22:45:32 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 5.8.1

Comment 1 David Walser 2022-02-16 22:50:46 CET 
Debian has issued an advisory for this today (February 16):
https://www.debian.org/security/2022/dsa-5078
Comment 2 Nicolas Lécureuil 2022-02-17 01:07:30 CET 
Fixed in mga8/9:

src:
    - zsh-5.8.1-1.mga8

Status comment: Fixed upstream in 5.8.1 => (none)
Assignee: bugsquad => qa-bugs
CC: (none) => mageia
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 3 David Walser 2022-02-17 01:58:35 CET 
zsh-5.8.1-1.mga8
zsh-doc-5.8.1-1.mga8

from zsh-5.8.1-1.mga8.src.rpm
Comment 4 Len Lawrence 2022-02-17 21:06:06 CET 
mga8, x64, Mate

zsh already installed, with its .zshrc file.
Changed user's login shell to zsh, logged out and in and checked which shell was running.  Followed the simple tests in bug 22846 report.
$ echo $SHELL
/bin/zsh
$ cat .zshrc
# Lines configured by zsh-newuser-install
HISTFILE=~/.histfile
HISTSIZE=1000
SAVEHIST=1000
setopt autocd
bindkey -e
# End of lines configured by zsh-newuser-install
# The following lines were added by compinstall
zstyle :compinstall filename '/home/lcl/.zshrc'

autoload -Uz compinit
compinit
# End of lines added by compinstall

The history command works and a previous command can be invoked e.g. $ !10
That was ll.
Command and name completion works using Tab key and multiple tabbing works as well.  Default editor emacs works as usual with user configuration - all cutom keys working as before.

This looks fine anyway.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Comment 5 Thomas Andrews 2022-02-17 21:55:41 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-02-18 00:22:16 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 6 Mageia Robot 2022-02-18 01:15:43 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0073.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED