Package: zsh Version: 3.1.7-1 Severity: normal Tags: security fixed-upstream patch Control: forwarded -1 https://www.zsh.org/cgi-bin/mla/redirect?WORKERNUMBER=42607
Hi, there happened another security fix at zsh upstream: https://www.zsh.org/cgi-bin/mla/redirect?WORKERNUMBER=42607 https://sourceforge.net/p/zsh/code/ci/31f72205630687c1cef89347863aab355296a27f/ git.code.sf.net is currently unreachable for me (ping timeout), but the mirror at GitHub already has it, too: https://github.com/zsh-users/zsh/commit/31f72205630687c1cef89347863aab355296a27f That way I could attach the upstream patch to this mail:
commit 31f72205630687c1cef89347863aab355296a27f Author: Oliver Kiddle <okid...@yahoo.co.uk> Date: Sat Apr 7 18:28:38 2018 +0200 42607, CVE-2018-1100: check bounds on buffer in mail checking diff --git a/ChangeLog b/ChangeLog index 60ec155d7..2cc699b67 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,8 @@ 2018-04-07 Oliver Kiddle <okid...@yahoo.co.uk> + * 42607, CVE-2018-1100: Src/utils.c: check bounds on buffer + in mail checking + * 42600: Src/Zle/computil.c: error paths for _values leaked the exclusion list array diff --git a/Src/utils.c b/Src/utils.c index c544b81bf..180693d67 100644 --- a/Src/utils.c +++ b/Src/utils.c @@ -1653,7 +1653,7 @@ checkmailpath(char **s) LinkList l; DIR *lock = opendir(unmeta(*s)); char buf[PATH_MAX * 2 + 1], **arr, **ap; - int ct = 1; + int buflen, ct = 1; if (lock) { char *fn; @@ -1662,9 +1662,11 @@ checkmailpath(char **s) l = newlinklist(); while ((fn = zreaddir(lock, 1)) && !errflag) { if (u) - sprintf(buf, "%s/%s?%s", *s, fn, u); + buflen = snprintf(buf, sizeof(buf), "%s/%s?%s", *s, fn, u); else - sprintf(buf, "%s/%s", *s, fn); + buflen = snprintf(buf, sizeof(buf), "%s/%s", *s, fn); + if (buflen < 0 || buflen >= (int)sizeof(buf)) + continue; addlinknode(l, dupstring(buf)); ct++; }
This will likely be part of the upcoming 5.5 release, maybe also of an potential further release candidate. JFTR: It is not fixed in zsh 5.4.2-test-2-1 which I uploaded yesterday to experimental as the upstream git tag for that release candidate is from Thursday while the commit mentioned above is from Saturday. According to "git blame", this code has been touched last time between the 3.1.6 and 3.17 releases (i.e. in April 2000), so declaring it as introduced with 3.1.7 for now. The bug itself might affect even older releases since the commit db663c824a (which last touched these lines) seems to be primarily change code indentation. But for Debian it does not really matter how early it has been introduced, so I stop digging here. -- Package-specific info:
Packages which depend, recommend, suggest or enhance a zsh package and hence may provide code meant to be sourced in .zshrc: Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-===================-==============-==============-=========================================== ii abe-commandline 17.5 all Metapackage of commandline tools Axel usual ii abe-desktop-common 13.1.1 all Common packages for all of Axel's desktop s ii autojump 22.5.0-2 all shell extension to jump to frequently used ii fizsh 1.0.9-1 all Friendly Interactive ZSHell ii flowscan 1.006-13.2 all flow-based IP traffic analysis and visualiz ii powerline 2.6-1 amd64 prompt and statusline utility ii shellex 0.2-1 amd64 shell-based launcher ii tomb 2.5+dfsg1-1 all crypto undertaker ii zomg 0.8-3 amd64 console-based libre.fm submission and radio ii zplug 2.4.2-1 all next-generation plugin manager for zsh ii zsh-antigen 2.2.3-1 all manage your zsh plugins ii zsh-syntax-highligh 0.6.0-1 all Fish shell like syntax highlighting for zsh ii zsh-theme-powerleve 0.6.4-1 all powerlevel9k is a theme for zsh which uses ii zshdb 0.92-3 all debugger for Z-Shell scripts Packages which provide vendor completions: Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-===================-==============-==============-=========================================== ii 0xffff 0.7-2 amd64 Open Free Fiasco Firmware Flasher ii autojump 22.5.0-2 all shell extension to jump to frequently used ii bugz 0.10.1-3 all command-line interface to Bugzilla ii cmus 2.7.1+git20160 amd64 lightweight ncurses audio player ii curl 7.58.0-2 amd64 command line tool for transferring data wit ii git-annex 6.20180316-1 amd64 manage files with git, without checking the ii git-buildpackage 0.9.8 all Suite to help with Debian packages in Git r ii git-extras 4.5.0-1 all Extra commands for git ii git-flow 1.11.0-1 all Git extension to provide a high-level branc ii herbstluftwm 0.7.0-2 amd64 manual tiling window manager for X11 ii keyringer 0.5.0-2 all Distributed secret management using GnuPG a ii khal 1:0.9.8-1 all Standards based CLI and terminal calendar p ii khard 0.12.2-2 amd64 address book for the Linux console ii legit 1.0.1-2 all Git extension to assist in manipulating bra ii leiningen 2.8.1-4 all Automation tool and dependency manager for ii mpv 0.27.2-1 amd64 video player based on MPlayer/mplayer2 ii nim 0.18.0-2 amd64 Nim programming language - compiler ii pass 1.7.1-3 all lightweight directory-based password manage ii pdfgrep 2.0.1-1 amd64 search in pdf files for strings matching a ii silversearcher-ag 2.1.0-1 amd64 very fast grep-like program, alternative to ii sysdig 0.19.1-1 amd64 system-level exploration and troubleshootin ii systemd 238-4 amd64 system and service manager ii systemd-container 238-4 amd64 systemd container/nspawn tools ii taskwarrior 2.5.1+dfsg-6 amd64 feature-rich console based todo list manage ii torsocks 2.2.0-2 amd64 use SOCKS-friendly applications with Tor ii udev 238-4 amd64 /dev/ and hotplug management daemon ii vcsh 1.20151229-1 all Version Control System for $HOME - multiple ii vlc-bin 3.0.1-3 amd64 binaries from VLC ii vnlog 1.6-1 all Toolkit to read/write/manipulate whitespace ii xwallpaper 0.3.0-1 amd64 utility for setting image files as X wallpa ii youtube-dl 2018.03.14-1 all downloader of videos from YouTube and other dpkg-query: no path found matching pattern /usr/share/zsh/vendor-functions/
-- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (990, 'unstable'), (600, 'testing'), (500, 'unstable-debug'), (500, 'buildd-unstable'), (110, 'experimental'), (1, 'experimental-debug'), (1, 'buildd-experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.15.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) LSM: AppArmor: enabled Versions of packages zsh depends on: ii libc6 2.27-3 ii libcap2 1:2.25-1.2 ii libtinfo5 6.1-1 ii zsh-common 5.4.2-4 Versions of packages zsh recommends: ii libc6 2.27-3 ii libncursesw5 6.1-1 ii libpcre3 2:8.39-9 Versions of packages zsh suggests: ii zsh-doc 5.4.2-4 -- no debconf information