Hi.
On Thursday 01 March 2018 04:20 AM, Axel Beckert wrote:
[..]
> I do not demand to test the package, but I offer to do so. I actually
> feel a little bit obliged towards the LTS team to do at least that.
> :-)
>
> So feel free to contact me (or the pkg-zsh-devel list) once a package
> is available for testing.
>
I prepared an update[1] for zsh. Debdiff attached along with the mail.
It would be great if you do some testing.
[..]
> Regards, Axel
>
Thanks
-abhijith
wearing Debian LTS member hat.
[1]
https://mentors.debian.net/debian/pool/main/z/zsh/zsh_4.3.17-1+deb7u1.dsc
build: http://159.65.202.84/
diff -Nru zsh-4.3.17/debian/changelog zsh-4.3.17/debian/changelog
--- zsh-4.3.17/debian/changelog 2012-02-29 05:05:54.0 +0530
+++ zsh-4.3.17/debian/changelog 2018-03-05 21:34:11.0 +0530
@@ -1,3 +1,18 @@
+zsh (4.3.17-1+deb7u1) wheezy-security; urgency=high
+
+ * Non-maintainer upload by the Debian LTS Team.
+ * Fix CVE-2014-10070: privilege-elevation contexts when the
+environment has not been properly sanitized
+ * Fix CVE-2014-10071: buffer overflow for very long fds in the
+">& fd" syntax in exec.c
+ * Fix CVE-2014-10072: buffer overflow when scanning very long
+directory paths for symbolic links
+ * Fix CVE-2016-10714: off-by-one error resulted in undersized buffers
+that were intended to support PATH_MAX
+ * Fix CVE-2017-18206: symlink expansion has buffer overflow
+
+ -- Abhijith PA Mon, 05 Mar 2018 16:04:11 +
+
zsh (4.3.17-1) unstable; urgency=low
* New upstream release
diff -Nru zsh-4.3.17/debian/patches/CVE-2014-10070.patch
zsh-4.3.17/debian/patches/CVE-2014-10070.patch
--- zsh-4.3.17/debian/patches/CVE-2014-10070.patch 1970-01-01
05:30:00.0 +0530
+++ zsh-4.3.17/debian/patches/CVE-2014-10070.patch 2018-03-05
19:40:59.0 +0530
@@ -0,0 +1,105 @@
+Description: Fix CVE-2014-10070
+ Zsh version before 5.0.7 allows evaluation of the initial values of integer
+ variables imported from the environment (instead of treating them as literal
+ numbers). That could allow local privilege escalation, under some specific
and
+ atypical conditions where zsh is being invoked in privilege-elevation contexts
+ when the environment has not been properly sanitized, such as when zsh is
+ invoked by sudo on systems where "env_reset" has been disabled
+ .
+ This patch tries to safely import numerical variables from environment.
+Author: Abhijith PA
+Origin:
https://sourceforge.net/p/zsh/code/ci/546203a770cec329e73781c3c8ab1078390aee72
+Last-Update: 2018-03-04
+
+--- zsh-4.3.17.orig/Src/params.c
zsh-4.3.17/Src/params.c
+@@ -318,9 +318,12 @@ IPDEF4("ZSH_SUBSHELL", &zsh_subshell),
+ #define IPDEF5(A,B,F) {{NULL,A,PM_INTEGER|PM_SPECIAL},BR((void
*)B),GSU(varinteger_gsu),10,0,NULL,NULL,NULL,0}
+ IPDEF5("COLUMNS", &zterm_columns, zlevar_gsu),
+ IPDEF5("LINES", &zterm_lines, zlevar_gsu),
+-IPDEF5("OPTIND", &zoptind, varinteger_gsu),
+ IPDEF5("SHLVL", &shlvl, varinteger_gsu),
+-IPDEF5("TRY_BLOCK_ERROR", &try_errflag, varinteger_gsu),
++
++/* Don't import internal integer status variables. */
++#define IPDEF6(A,B,F) {{NULL,A,PM_INTEGER|PM_SPECIAL|PM_DONTIMPORT},BR((void
*)B),GSU(F),10,0,NULL,NULL,NULL,0}
++IPDEF6("OPTIND", &zoptind, varinteger_gsu),
++IPDEF6("TRY_BLOCK_ERROR", &try_errflag, varinteger_gsu),
+
+ #define IPDEF7(A,B) {{NULL,A,PM_SCALAR|PM_SPECIAL},BR((void
*)B),GSU(varscalar_gsu),0,0,NULL,NULL,NULL,0}
+ IPDEF7("OPTARG", &zoptarg),
+@@ -733,7 +736,8 @@ createparamtable(void)
+ if (!idigit(*iname) && isident(iname) && !strchr(iname, '[')) {
+ if ((!(pm = (Param) paramtab->getnode(paramtab, iname)) ||
+!(pm->node.flags & PM_DONTIMPORT || pm->node.flags &
PM_EXPORTED)) &&
+- (pm = setsparam(iname, metafy(ivalue, -1, META_DUP {
++ (pm = assignsparam(iname, metafy(ivalue, -1, META_DUP),
++ ASSPM_ENV_IMPORT))) {
+ pm->node.flags |= PM_EXPORTED;
+ if (pm->node.flags & PM_SPECIAL)
+ pm->env = mkenvstr (pm->node.nam,
+@@ -2249,6 +2253,13 @@ export_param(Param pm)
+ mod_export void
+ setstrvalue(Value v, char *val)
+ {
++assignstrvalue(v, val, 0);
++}
++
++/**/
++mod_export void
++assignstrvalue(Value v, char *val, int flags)
++{
+ if (unset(EXECOPT))
+ return;
+ if (v->pm->node.flags & PM_READONLY) {
+@@ -2325,7 +2336,13 @@ setstrvalue(Value v, char *val)
+ break;
+ case PM_INTEGER:
+ if (val) {
+- v->pm->gsu.i->setfn(v->pm, mathevali(val));
++ zlong ival;
++ if (flags & ASSPM_ENV_IMPORT) {
++ char *ptr;
++ ival = zstrtol(val, &ptr, 0);
++ } else
++ ival = mathevali(val);
++ v->pm->gsu.i->setfn(v->pm, ival);
+ if ((v->pm->node.flags & (PM_LEFT | PM_RIGHT_B | PM_RIGHT_Z)) &&
+ !v->pm->width)
+