package/zsh: security bump to version 5.8

- Fix CVE-2019-20044: In Zsh before 5.8, attackers able to execute
  commands can regain privileges dropped by the --no-PRIVILEGED option.
  Zsh fails to overwrite the saved uid, so the original privileges can
  be restored by executing MODULE_PATH=/dir/with/module zmodload with a
  module that calls setuid().
- Update indentation of hash file (two spaces)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

diff --git a/package/zsh/zsh.hash b/package/zsh/zsh.hash
index 79c661d455e941907fdb166c04153e0272ae38d3..2df409c9464b90e4359c1c30289514a036c5836f 100644 (file)
--- a/package/zsh/zsh.hash
+++ b/package/zsh/zsh.hash
@@ -1,7 +1,7 @@
 # From http://www.zsh.org/pub/MD5SUM
-md5    374f9fdd121b5b90e07abfcad7df0627        zsh-5.7.1.tar.xz
+md5  e02a5428620b3dd268800c7843b3dd4d  zsh-5.8.tar.xz
 # Calculated based on the hash above and after checking signature
-# http://www.zsh.org/pub/zsh-5.7.1.tar.xz.asc
-sha256 7260292c2c1d483b2d50febfa5055176bd512b32a8833b116177bf5f01e77ee8 zsh-5.7.1.tar.xz
+# http://www.zsh.org/pub/zsh-5.8.tar.xz.asc
+sha256  dcc4b54cc5565670a65581760261c163d720991f0d06486da61f8d839b52de27  zsh-5.8.tar.xz
 # Locally calculated
-sha256 d06fdf3ef9b1ec69d6b9e170b0a9516fbad3523261ff1668bde3bfea6e0ef5f5  LICENCE
+sha256  d06fdf3ef9b1ec69d6b9e170b0a9516fbad3523261ff1668bde3bfea6e0ef5f5  LICENCE

diff --git a/package/zsh/zsh.mk b/package/zsh/zsh.mk
index b287e3051ddf19ef0915c3532b78ba68fe30faa8..c3d9e5215200610daae65e9a65e195607f7a90f3 100644 (file)
--- a/package/zsh/zsh.mk
+++ b/package/zsh/zsh.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-ZSH_VERSION = 5.7.1
+ZSH_VERSION = 5.8
 ZSH_SITE = http://www.zsh.org/pub
 ZSH_SOURCE = zsh-$(ZSH_VERSION).tar.xz
 ZSH_DEPENDENCIES = ncurses