Package: zsh
Version: 3.1.7-1
Severity: normal
Tags: security fixed-upstream patch
Control: forwarded -1


there happened another security fix at zsh upstream: is currently unreachable for me (ping
timeout), but the mirror at GitHub already has it, too:

That way I could attach the upstream patch to this mail:

commit 31f72205630687c1cef89347863aab355296a27f
Author: Oliver Kiddle <>
Date:   Sat Apr 7 18:28:38 2018 +0200

    42607, CVE-2018-1100: check bounds on buffer in mail checking

diff --git a/ChangeLog b/ChangeLog
index 60ec155d7..2cc699b67 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,8 @@
 2018-04-07  Oliver Kiddle  <>
+	* 42607, CVE-2018-1100: Src/utils.c: check bounds on buffer
+	in mail checking
 	* 42600: Src/Zle/computil.c: error paths for _values leaked
 	the exclusion list array
diff --git a/Src/utils.c b/Src/utils.c
index c544b81bf..180693d67 100644
--- a/Src/utils.c
+++ b/Src/utils.c
@@ -1653,7 +1653,7 @@ checkmailpath(char **s)
 	    LinkList l;
 	    DIR *lock = opendir(unmeta(*s));
 	    char buf[PATH_MAX * 2 + 1], **arr, **ap;
-	    int ct = 1;
+	    int buflen, ct = 1;
 	    if (lock) {
 		char *fn;
@@ -1662,9 +1662,11 @@ checkmailpath(char **s)
 		l = newlinklist();
 		while ((fn = zreaddir(lock, 1)) && !errflag) {
 		    if (u)
-			sprintf(buf, "%s/%s?%s", *s, fn, u);
+			buflen = snprintf(buf, sizeof(buf), "%s/%s?%s", *s, fn, u);
-			sprintf(buf, "%s/%s", *s, fn);
+			buflen = snprintf(buf, sizeof(buf), "%s/%s", *s, fn);
+		    if (buflen < 0 || buflen >= (int)sizeof(buf))
+			continue;
 		    addlinknode(l, dupstring(buf));
This will likely be part of the upcoming 5.5 release, maybe also of an
potential further release candidate. JFTR: It is not fixed in zsh
5.4.2-test-2-1 which I uploaded yesterday to experimental as the
upstream git tag for that release candidate is from Thursday while the
commit mentioned above is from Saturday.

According to "git blame", this code has been touched last time between
the 3.1.6 and 3.17 releases (i.e. in April 2000), so declaring it as
introduced with 3.1.7 for now. The bug itself might affect even older
releases since the commit db663c824a (which last touched these lines)
seems to be primarily change code indentation. But for Debian it does
not really matter how early it has been introduced, so I stop digging

-- Package-specific info:
Packages which depend, recommend, suggest or enhance a zsh package and hence 
may provide code meant to be sourced in .zshrc:

| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                Version        Architecture   Description
ii  abe-commandline     17.5           all            Metapackage of 
commandline tools Axel usual
ii  abe-desktop-common  13.1.1         all            Common packages for all 
of Axel's desktop s
ii  autojump            22.5.0-2       all            shell extension to jump 
to frequently used 
ii  fizsh               1.0.9-1        all            Friendly Interactive 
ii  flowscan            1.006-13.2     all            flow-based IP traffic 
analysis and visualiz
ii  powerline           2.6-1          amd64          prompt and statusline 
ii  shellex             0.2-1          amd64          shell-based launcher
ii  tomb                2.5+dfsg1-1    all            crypto undertaker
ii  zomg                0.8-3          amd64          console-based 
submission and radio
ii  zplug               2.4.2-1        all            next-generation plugin 
manager for zsh
ii  zsh-antigen         2.2.3-1        all            manage your zsh plugins
ii  zsh-syntax-highligh 0.6.0-1        all            Fish shell like syntax 
highlighting for zsh
ii  zsh-theme-powerleve 0.6.4-1        all            powerlevel9k is a theme 
for zsh which uses 
ii  zshdb               0.92-3         all            debugger for Z-Shell 

Packages which provide vendor completions:

| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                Version        Architecture   Description
ii  0xffff              0.7-2          amd64          Open Free Fiasco Firmware 
ii  autojump            22.5.0-2       all            shell extension to jump 
to frequently used 
ii  bugz                0.10.1-3       all            command-line interface to 
ii  cmus                2.7.1+git20160 amd64          lightweight ncurses audio 
ii  curl                7.58.0-2       amd64          command line tool for 
transferring data wit
ii  git-annex           6.20180316-1   amd64          manage files with git, 
without checking the
ii  git-buildpackage    0.9.8          all            Suite to help with Debian 
packages in Git r
ii  git-extras          4.5.0-1        all            Extra commands for git
ii  git-flow            1.11.0-1       all            Git extension to provide 
a high-level branc
ii  herbstluftwm        0.7.0-2        amd64          manual tiling window 
manager for X11
ii  keyringer           0.5.0-2        all            Distributed secret 
management using GnuPG a
ii  khal                1:0.9.8-1      all            Standards based CLI and 
terminal calendar p
ii  khard               0.12.2-2       amd64          address book for the 
Linux console
ii  legit               1.0.1-2        all            Git extension to assist 
in manipulating bra
ii  leiningen           2.8.1-4        all            Automation tool and 
dependency manager for 
ii  mpv                 0.27.2-1       amd64          video player based on 
ii  nim                 0.18.0-2       amd64          Nim programming language 
- compiler
ii  pass                1.7.1-3        all            lightweight 
directory-based password manage
ii  pdfgrep             2.0.1-1        amd64          search in pdf files for 
strings matching a 
ii  silversearcher-ag   2.1.0-1        amd64          very fast grep-like 
program, alternative to
ii  sysdig              0.19.1-1       amd64          system-level exploration 
and troubleshootin
ii  systemd             238-4          amd64          system and service manager
ii  systemd-container   238-4          amd64          systemd container/nspawn 
ii  taskwarrior         2.5.1+dfsg-6   amd64          feature-rich console 
based todo list manage
ii  torsocks            2.2.0-2        amd64          use SOCKS-friendly 
applications with Tor
ii  udev                238-4          amd64          /dev/ and hotplug 
management daemon
ii  vcsh                1.20151229-1   all            Version Control System 
for $HOME - multiple
ii  vlc-bin             3.0.1-3        amd64          binaries from VLC
ii  vnlog               1.6-1          all            Toolkit to 
read/write/manipulate whitespace
ii  xwallpaper          0.3.0-1        amd64          utility for setting image 
files as X wallpa
ii  youtube-dl          2018.03.14-1   all            downloader of videos from 
YouTube and other

dpkg-query: no path found matching pattern /usr/share/zsh/vendor-functions/

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (600, 'testing'), (500, 'unstable-debug'), 
(500, 'buildd-unstable'), (110, 'experimental'), (1, 'experimental-debug'), (1, 
Architecture: amd64 (x86_64)

Kernel: Linux 4.15.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled

Versions of packages zsh depends on:
ii  libc6       2.27-3
ii  libcap2     1:2.25-1.2
ii  libtinfo5   6.1-1
ii  zsh-common  5.4.2-4

Versions of packages zsh recommends:
ii  libc6         2.27-3
ii  libncursesw5  6.1-1
ii  libpcre3      2:8.39-9

Versions of packages zsh suggests:
ii  zsh-doc  5.4.2-4

-- no debconf information

Reply via email to