Package: zsh Version: 5.5.1-1 Severity: grave Tags: security Control: found -1 5.3.1-4 Control: fixed -1 5.6-1
Hi, these two issues have been already fixed with the 5.6-1 upload which happened just minutes after the embargo for these issues was over. Because of the embargo there wasn't a proper bug report yet. So this bug report is primarily to track the fix of these issues in Debian Buster, Stretch and maybe also in Debian (E)LTS releases. >From the upstream 5.6 release notes: > CVE-2018-0502: Data from the second line of a #! script file might be > passed to execve(). For example, in the following situation - > > printf '#!foo\nbar' > baz > ./baz > > the shell might take "bar" rather than "foo" for the argv[0] to be > passed to execve(). [ Reported by Anthony Sottile and Buck Evan. ] > > CVE-2018-13259: A shebang line longer than 64 characters would be > truncated. For example, in the following situation: > > ( printf '#!'; repeat 64 printf 'x'; printf 'y' ) > foo > ./foo > > the shell might execute x...x (64 repetitions) rather than x...xy (64 > x's, one y). [ Reported by Daniel Shahaf. ] Links into the Debian Security Tracker: https://security-tracker.debian.org/tracker/CVE-2018-0502 https://security-tracker.debian.org/tracker/CVE-2018-13259 (JFTR: The Debian Security Team doesn't consider a DSA necessary for these issues and recommends to fix the issues in Stretch via the next Debian Minor Stable Update.) Upstream release announcement: https://www.zsh.org/mla/zsh-announce/136 Upstream fix/patch: https://sourceforge.net/p/zsh/code/ci/1c4c7b6a4d17294df028322b70c53803a402233d (Details about affected versions will follow soon.)
