[Pkg-zsh-devel] Bug#908000: zsh: CVE-2018-0502 + CVE-2018-13259: Two security bugs in shebang line parsing
Axel Beckert
abe at debian.org
Wed Sep 5 01:23:05 BST 2018
Package: zsh
Version: 5.5.1-1
Severity: grave
Tags: security
Control: found -1 5.3.1-4
Control: fixed -1 5.6-1
Hi,
these two issues have been already fixed with the 5.6-1 upload which
happened just minutes after the embargo for these issues was over.
Because of the embargo there wasn't a proper bug report yet. So this bug
report is primarily to track the fix of these issues in Debian Buster,
Stretch and maybe also in Debian (E)LTS releases.
>From the upstream 5.6 release notes:
> CVE-2018-0502: Data from the second line of a #! script file might be
> passed to execve(). For example, in the following situation -
>
> printf '#!foo\nbar' > baz
> ./baz
>
> the shell might take "bar" rather than "foo" for the argv[0] to be
> passed to execve(). [ Reported by Anthony Sottile and Buck Evan. ]
>
> CVE-2018-13259: A shebang line longer than 64 characters would be
> truncated. For example, in the following situation:
>
> ( printf '#!'; repeat 64 printf 'x'; printf 'y' ) > foo
> ./foo
>
> the shell might execute x...x (64 repetitions) rather than x...xy (64
> x's, one y). [ Reported by Daniel Shahaf. ]
Links into the Debian Security Tracker:
https://security-tracker.debian.org/tracker/CVE-2018-0502
https://security-tracker.debian.org/tracker/CVE-2018-13259
(JFTR: The Debian Security Team doesn't consider a DSA necessary for
these issues and recommends to fix the issues in Stretch via the next
Debian Minor Stable Update.)
Upstream release announcement:
https://www.zsh.org/mla/zsh-announce/136
Upstream fix/patch:
https://sourceforge.net/p/zsh/code/ci/1c4c7b6a4d17294df028322b70c53803a402233d
(Details about affected versions will follow soon.)
More information about the Pkg-zsh-devel
mailing list