Package: zsh
Version: 3.1.7-1
Severity: normal
Tags: security fixed-upstream patch
Control: forwarded -1
https://www.zsh.org/cgi-bin/mla/redirect?WORKERNUMBER=42607
Hi,
there happened another security fix at zsh upstream:
https://www.zsh.org/cgi-bin/mla/redirect?WORKERNUMBER=42607
https://sourceforge.net/p/zsh/code/ci/31f72205630687c1cef89347863aab355296a27f/
git.code.sf.net is currently unreachable for me (ping
timeout), but the mirror at GitHub already has it, too:
https://github.com/zsh-users/zsh/commit/31f72205630687c1cef89347863aab355296a27f
That way I could attach the upstream patch to this mail:
commit 31f72205630687c1cef89347863aab355296a27f
Author: Oliver Kiddle <okid...@yahoo.co.uk>
Date: Sat Apr 7 18:28:38 2018 +0200
42607, CVE-2018-1100: check bounds on buffer in mail checking
diff --git a/ChangeLog b/ChangeLog
index 60ec155d7..2cc699b67 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,8 @@
2018-04-07 Oliver Kiddle <okid...@yahoo.co.uk>
+ * 42607, CVE-2018-1100: Src/utils.c: check bounds on buffer
+ in mail checking
+
* 42600: Src/Zle/computil.c: error paths for _values leaked
the exclusion list array
diff --git a/Src/utils.c b/Src/utils.c
index c544b81bf..180693d67 100644
--- a/Src/utils.c
+++ b/Src/utils.c
@@ -1653,7 +1653,7 @@ checkmailpath(char **s)
LinkList l;
DIR *lock = opendir(unmeta(*s));
char buf[PATH_MAX * 2 + 1], **arr, **ap;
- int ct = 1;
+ int buflen, ct = 1;
if (lock) {
char *fn;
@@ -1662,9 +1662,11 @@ checkmailpath(char **s)
l = newlinklist();
while ((fn = zreaddir(lock, 1)) && !errflag) {
if (u)
- sprintf(buf, "%s/%s?%s", *s, fn, u);
+ buflen = snprintf(buf, sizeof(buf), "%s/%s?%s", *s, fn, u);
else
- sprintf(buf, "%s/%s", *s, fn);
+ buflen = snprintf(buf, sizeof(buf), "%s/%s", *s, fn);
+ if (buflen < 0 || buflen >= (int)sizeof(buf))
+ continue;
addlinknode(l, dupstring(buf));
ct++;
}
This will likely be part of the upcoming 5.5 release, maybe also of an
potential further release candidate. JFTR: It is not fixed in zsh
5.4.2-test-2-1 which I uploaded yesterday to experimental as the
upstream git tag for that release candidate is from Thursday while the
commit mentioned above is from Saturday.
According to "git blame", this code has been touched last time between
the 3.1.6 and 3.17 releases (i.e. in April 2000), so declaring it as
introduced with 3.1.7 for now. The bug itself might affect even older
releases since the commit db663c824a (which last touched these lines)
seems to be primarily change code indentation. But for Debian it does
not really matter how early it has been introduced, so I stop digging
here.
-- Package-specific info:
Packages which depend, recommend, suggest or enhance a zsh package and hence
may provide code meant to be sourced in .zshrc:
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-===================-==============-==============-===========================================
ii abe-commandline 17.5 all Metapackage of
commandline tools Axel usual
ii abe-desktop-common 13.1.1 all Common packages for all
of Axel's desktop s
ii autojump 22.5.0-2 all shell extension to jump
to frequently used
ii fizsh 1.0.9-1 all Friendly Interactive
ZSHell
ii flowscan 1.006-13.2 all flow-based IP traffic
analysis and visualiz
ii powerline 2.6-1 amd64 prompt and statusline
utility
ii shellex 0.2-1 amd64 shell-based launcher
ii tomb 2.5+dfsg1-1 all crypto undertaker
ii zomg 0.8-3 amd64 console-based libre.fm
submission and radio
ii zplug 2.4.2-1 all next-generation plugin
manager for zsh
ii zsh-antigen 2.2.3-1 all manage your zsh plugins
ii zsh-syntax-highligh 0.6.0-1 all Fish shell like syntax
highlighting for zsh
ii zsh-theme-powerleve 0.6.4-1 all powerlevel9k is a theme
for zsh which uses
ii zshdb 0.92-3 all debugger for Z-Shell
scripts
Packages which provide vendor completions:
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-===================-==============-==============-===========================================
ii 0xffff 0.7-2 amd64 Open Free Fiasco Firmware
Flasher
ii autojump 22.5.0-2 all shell extension to jump
to frequently used
ii bugz 0.10.1-3 all command-line interface to
Bugzilla
ii cmus 2.7.1+git20160 amd64 lightweight ncurses audio
player
ii curl 7.58.0-2 amd64 command line tool for
transferring data wit
ii git-annex 6.20180316-1 amd64 manage files with git,
without checking the
ii git-buildpackage 0.9.8 all Suite to help with Debian
packages in Git r
ii git-extras 4.5.0-1 all Extra commands for git
ii git-flow 1.11.0-1 all Git extension to provide
a high-level branc
ii herbstluftwm 0.7.0-2 amd64 manual tiling window
manager for X11
ii keyringer 0.5.0-2 all Distributed secret
management using GnuPG a
ii khal 1:0.9.8-1 all Standards based CLI and
terminal calendar p
ii khard 0.12.2-2 amd64 address book for the
Linux console
ii legit 1.0.1-2 all Git extension to assist
in manipulating bra
ii leiningen 2.8.1-4 all Automation tool and
dependency manager for
ii mpv 0.27.2-1 amd64 video player based on
MPlayer/mplayer2
ii nim 0.18.0-2 amd64 Nim programming language
- compiler
ii pass 1.7.1-3 all lightweight
directory-based password manage
ii pdfgrep 2.0.1-1 amd64 search in pdf files for
strings matching a
ii silversearcher-ag 2.1.0-1 amd64 very fast grep-like
program, alternative to
ii sysdig 0.19.1-1 amd64 system-level exploration
and troubleshootin
ii systemd 238-4 amd64 system and service manager
ii systemd-container 238-4 amd64 systemd container/nspawn
tools
ii taskwarrior 2.5.1+dfsg-6 amd64 feature-rich console
based todo list manage
ii torsocks 2.2.0-2 amd64 use SOCKS-friendly
applications with Tor
ii udev 238-4 amd64 /dev/ and hotplug
management daemon
ii vcsh 1.20151229-1 all Version Control System
for $HOME - multiple
ii vlc-bin 3.0.1-3 amd64 binaries from VLC
ii vnlog 1.6-1 all Toolkit to
read/write/manipulate whitespace
ii xwallpaper 0.3.0-1 amd64 utility for setting image
files as X wallpa
ii youtube-dl 2018.03.14-1 all downloader of videos from
YouTube and other
dpkg-query: no path found matching pattern /usr/share/zsh/vendor-functions/
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (990, 'unstable'), (600, 'testing'), (500, 'unstable-debug'),
(500, 'buildd-unstable'), (110, 'experimental'), (1, 'experimental-debug'), (1,
'buildd-experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.15.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled
Versions of packages zsh depends on:
ii libc6 2.27-3
ii libcap2 1:2.25-1.2
ii libtinfo5 6.1-1
ii zsh-common 5.4.2-4
Versions of packages zsh recommends:
ii libc6 2.27-3
ii libncursesw5 6.1-1
ii libpcre3 2:8.39-9
Versions of packages zsh suggests:
ii zsh-doc 5.4.2-4
-- no debconf information
