[Pkg-zsh-devel] Bug#895225: zsh: CVE-2018-1100: check bounds on buffer in mail checking

Axel Beckert abe at debian.org
Sun Apr 8 13:57:52 UTC 2018 

Package: zsh
Version: 3.1.7-1
Severity: normal
Tags: security fixed-upstream patch
Control: forwarded -1 https://www.zsh.org/cgi-bin/mla/redirect?WORKERNUMBER=42607

Hi,

there happened another security fix at zsh upstream:
https://www.zsh.org/cgi-bin/mla/redirect?WORKERNUMBER=42607
https://sourceforge.net/p/zsh/code/ci/31f72205630687c1cef89347863aab355296a27f/

git.code.sf.net is currently unreachable for me (ping
timeout), but the mirror at GitHub already has it, too:
https://github.com/zsh-users/zsh/commit/31f72205630687c1cef89347863aab355296a27f

That way I could attach the upstream patch to this mail:

-------------- next part --------------
A non-text attachment was scrubbed...
Name: CVE-2018-1100.patch
Type: text/x-diff
Size: 1344 bytes
Desc: CVE-2018-1100 patch
URL: <http://lists.alioth.debian.org/pipermail/pkg-zsh-devel/attachments/20180408/5cebd063/attachment.patch>
-------------- next part --------------

This will likely be part of the upcoming 5.5 release, maybe also of an
potential further release candidate. JFTR: It is not fixed in zsh
5.4.2-test-2-1 which I uploaded yesterday to experimental as the
upstream git tag for that release candidate is from Thursday while the
commit mentioned above is from Saturday.

According to "git blame", this code has been touched last time between
the 3.1.6 and 3.17 releases (i.e. in April 2000), so declaring it as
introduced with 3.1.7 for now. The bug itself might affect even older
releases since the commit db663c824a (which last touched these lines)
seems to be primarily change code indentation. But for Debian it does
not really matter how early it has been introduced, so I stop digging
here.

-- Package-specific info:
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-zsh-devel/attachments/20180408/5cebd063/attachment.ksh>
-------------- next part --------------

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (600, 'testing'), (500, 'unstable-debug'), (500, 'buildd-unstable'), (110, 'experimental'), (1, 'experimental-debug'), (1, 'buildd-experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.15.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled

Versions of packages zsh depends on:
ii  libc6       2.27-3
ii  libcap2     1:2.25-1.2
ii  libtinfo5   6.1-1
ii  zsh-common  5.4.2-4

Versions of packages zsh recommends:
ii  libc6         2.27-3
ii  libncursesw5  6.1-1
ii  libpcre3      2:8.39-9

Versions of packages zsh suggests:
ii  zsh-doc  5.4.2-4

-- no debconf information

More information about the Pkg-zsh-devel mailing list