Re: [Pkg-zsh-devel] Wheezy update of zsh?

2018-03-09 Thread Axel Beckert 
Hi,

Chris Lamb wrote:
> > >> I prepared an update[1] for zsh. Debdiff attached along with the mail.
> > >> It would be great if you do some testing.
> > > 
> > > Works for me... :)
> > 
> > It will be helpful if some could upload zsh. Once it accepted to the
> > archive I will release DLA.
> 
> I'll upload zsh 4.3.17-1+deb7u1 now and — to save delays — announce the
> DLA too. :)

Thanks Abhijith and Chris!

Regards, Axel
-- 
 ,''`.  |  Axel Beckert , https://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-|  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Re: [Pkg-zsh-devel] Wheezy update of zsh?

2018-03-09 Thread Chris Lamb 
Chris Lamb wrote:

> I'll upload zsh 4.3.17-1+deb7u1 now and — to save delays — announce the
> DLA too. :)

Uploaded and announced as DLA-1304-1. Thank you. :)


Best wishes,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Re: [Pkg-zsh-devel] Wheezy update of zsh?

2018-03-09 Thread Chris Lamb 
Hi Abhijith,

> >> I prepared an update[1] for zsh. Debdiff attached along with the mail.
> >> It would be great if you do some testing.
> > 
> > Works for me... :)
> 
> It will be helpful if some could upload zsh. Once it accepted to the
> archive I will release DLA.

I'll upload zsh 4.3.17-1+deb7u1 now and — to save delays — announce the
DLA too. :)


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Re: [Pkg-zsh-devel] Wheezy update of zsh?

2018-03-09 Thread Abhijith PA 


On Thursday 08 March 2018 10:35 AM, Chris Lamb wrote:
> Hi Abhijith,
> 
>> I prepared an update[1] for zsh. Debdiff attached along with the mail.
>> It would be great if you do some testing.
> 
> Works for me... :)
> 
> 
> Regards,
> 

It will be helpful if some could upload zsh. Once it accepted to the
archive I will release DLA.

 -abhijith

Re: [Pkg-zsh-devel] Wheezy update of zsh?

2018-03-07 Thread Chris Lamb 
Hi Abhijith,

> I prepared an update[1] for zsh. Debdiff attached along with the mail.
> It would be great if you do some testing.

Works for me... :)


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Re: [Pkg-zsh-devel] Wheezy update of zsh?

2018-03-05 Thread Abhijith PA 
Hi.

On Thursday 01 March 2018 04:20 AM, Axel Beckert wrote:

[..]

> I do not demand to test the package, but I offer to do so. I actually
> feel a little bit obliged towards the LTS team to do at least that.
> :-)
> 
> So feel free to contact me (or the pkg-zsh-devel list) once a package
> is available for testing.
> 

I prepared an update[1] for zsh. Debdiff attached along with the mail.
It would be great if you do some testing.

[..]
>   Regards, Axel
> 

Thanks
-abhijith
wearing Debian LTS member hat.


[1]
https://mentors.debian.net/debian/pool/main/z/zsh/zsh_4.3.17-1+deb7u1.dsc
build: http://159.65.202.84/
diff -Nru zsh-4.3.17/debian/changelog zsh-4.3.17/debian/changelog
--- zsh-4.3.17/debian/changelog 2012-02-29 05:05:54.0 +0530
+++ zsh-4.3.17/debian/changelog 2018-03-05 21:34:11.0 +0530
@@ -1,3 +1,18 @@
+zsh (4.3.17-1+deb7u1) wheezy-security; urgency=high
+
+  * Non-maintainer upload by the Debian LTS Team.
+  * Fix CVE-2014-10070: privilege-elevation contexts when the
+environment has not been properly sanitized
+  * Fix CVE-2014-10071: buffer overflow for very long fds in the
+">& fd" syntax in exec.c
+  * Fix CVE-2014-10072: buffer overflow when scanning very long
+directory paths for symbolic links
+  * Fix CVE-2016-10714: off-by-one error resulted in undersized buffers
+that were intended to support PATH_MAX
+  * Fix CVE-2017-18206: symlink expansion has buffer overflow
+
+ -- Abhijith PA   Mon, 05 Mar 2018 16:04:11 +
+
 zsh (4.3.17-1) unstable; urgency=low
 
   * New upstream release
diff -Nru zsh-4.3.17/debian/patches/CVE-2014-10070.patch 
zsh-4.3.17/debian/patches/CVE-2014-10070.patch
--- zsh-4.3.17/debian/patches/CVE-2014-10070.patch  1970-01-01 
05:30:00.0 +0530
+++ zsh-4.3.17/debian/patches/CVE-2014-10070.patch  2018-03-05 
19:40:59.0 +0530
@@ -0,0 +1,105 @@
+Description: Fix CVE-2014-10070
+ Zsh version before 5.0.7 allows evaluation of the initial values of integer 
+ variables imported from the environment (instead of treating them as literal 
+ numbers). That could allow local privilege escalation, under some specific 
and 
+ atypical conditions where zsh is being invoked in privilege-elevation contexts
+ when the environment has not been properly sanitized, such as when zsh is 
+ invoked by sudo on systems where "env_reset" has been disabled 
+ .
+ This patch tries to safely import numerical variables from environment.
+Author: Abhijith PA 
+Origin: 
https://sourceforge.net/p/zsh/code/ci/546203a770cec329e73781c3c8ab1078390aee72
+Last-Update: 2018-03-04
+
+--- zsh-4.3.17.orig/Src/params.c
 zsh-4.3.17/Src/params.c
+@@ -318,9 +318,12 @@ IPDEF4("ZSH_SUBSHELL", &zsh_subshell),
+ #define IPDEF5(A,B,F) {{NULL,A,PM_INTEGER|PM_SPECIAL},BR((void 
*)B),GSU(varinteger_gsu),10,0,NULL,NULL,NULL,0}
+ IPDEF5("COLUMNS", &zterm_columns, zlevar_gsu),
+ IPDEF5("LINES", &zterm_lines, zlevar_gsu),
+-IPDEF5("OPTIND", &zoptind, varinteger_gsu),
+ IPDEF5("SHLVL", &shlvl, varinteger_gsu),
+-IPDEF5("TRY_BLOCK_ERROR", &try_errflag, varinteger_gsu),
++
++/* Don't import internal integer status variables. */
++#define IPDEF6(A,B,F) {{NULL,A,PM_INTEGER|PM_SPECIAL|PM_DONTIMPORT},BR((void 
*)B),GSU(F),10,0,NULL,NULL,NULL,0}
++IPDEF6("OPTIND", &zoptind, varinteger_gsu),
++IPDEF6("TRY_BLOCK_ERROR", &try_errflag, varinteger_gsu),
+ 
+ #define IPDEF7(A,B) {{NULL,A,PM_SCALAR|PM_SPECIAL},BR((void 
*)B),GSU(varscalar_gsu),0,0,NULL,NULL,NULL,0}
+ IPDEF7("OPTARG", &zoptarg),
+@@ -733,7 +736,8 @@ createparamtable(void)
+   if (!idigit(*iname) && isident(iname) && !strchr(iname, '[')) {
+   if ((!(pm = (Param) paramtab->getnode(paramtab, iname)) ||
+!(pm->node.flags & PM_DONTIMPORT || pm->node.flags & 
PM_EXPORTED)) &&
+-  (pm = setsparam(iname, metafy(ivalue, -1, META_DUP {
++  (pm = assignsparam(iname, metafy(ivalue, -1, META_DUP),
++   ASSPM_ENV_IMPORT))) {
+   pm->node.flags |= PM_EXPORTED;
+   if (pm->node.flags & PM_SPECIAL)
+   pm->env = mkenvstr (pm->node.nam,
+@@ -2249,6 +2253,13 @@ export_param(Param pm)
+ mod_export void
+ setstrvalue(Value v, char *val)
+ {
++assignstrvalue(v, val, 0);
++}
++
++/**/
++mod_export void
++assignstrvalue(Value v, char *val, int flags)
++{
+ if (unset(EXECOPT))
+   return;
+ if (v->pm->node.flags & PM_READONLY) {
+@@ -2325,7 +2336,13 @@ setstrvalue(Value v, char *val)
+   break;
+ case PM_INTEGER:
+   if (val) {
+-  v->pm->gsu.i->setfn(v->pm, mathevali(val));
++  zlong ival;
++  if (flags & ASSPM_ENV_IMPORT) {
++  char *ptr;
++  ival = zstrtol(val, &ptr, 0);
++  } else
++  ival = mathevali(val);
++  v->pm->gsu.i->setfn(v->pm, ival);
+   if ((v->pm->node.flags & (PM_LEFT | PM_RIGHT_B | PM_RIGHT_Z)) &&
+   !v->pm->width)
+

Re: [Pkg-zsh-devel] Wheezy update of zsh?

2018-02-28 Thread Axel Beckert 
Hi Antoine,

Antoine Beaupre wrote:
> The Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of zsh:
> 
> https://security-tracker.debian.org/tracker/CVE-2017-18206
> https://security-tracker.debian.org/tracker/CVE-2016-10714
> https://security-tracker.debian.org/tracker/CVE-2014-10072
> https://security-tracker.debian.org/tracker/CVE-2014-10071
> https://security-tracker.debian.org/tracker/CVE-2014-10070
> 
> Would you like to take care of this yourself?

At least I'm not keen on it. I'm rather working on getting rid of all
my remaining Wheezy installations (at least 5 or so) and upgrade them,
preferably twice in a row. ;-)

Anyways: Wheezy was the first Debian release where Zsh was
team-maintained and hence it should be not a too ugly package to
update. If you have questions on the background of some aspects, feel
free to ask.

I can't really talk for all team members, but I don't expect much of a
different response from most of them given their current busyness on
other topics.

So feel free to go ahead.

> If you don't want to take care of this update, it's not a problem, we
> will do our best with your package. Just let us know whether you would
> like to review and/or test the updated package before it gets released.

I do not demand to test the package, but I offer to do so. I actually
feel a little bit obliged towards the LTS team to do at least that.
:-)

So feel free to contact me (or the pkg-zsh-devel list) once a package
is available for testing.

> You can also opt-out from receiving future similar emails in your
> answer and then the LTS Team will take care of zsh updates
> for the LTS releases.

Should be generally fine. But if possible use only the mailing list
for that: All Uploaders are subscribed AFAIK and some more people who
might be able to help (Daniel Shahaf comes to my mind :-) are
subscribed, too.

Regards, Axel
-- 
 ,''`.  |  Axel Beckert , https://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-|  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE


signature.asc
Description: Digital signature