[Pkg-zsh-devel] Bug#908000: zsh: CVE-2018-0502 + CVE-2018-13259: Two security bugs in shebang line parsing

Axel Beckert abe at debian.org
Wed Sep 5 01:23:05 BST 2018


Package: zsh
Version: 5.5.1-1
Severity: grave
Tags: security
Control: found -1 5.3.1-4
Control: fixed -1 5.6-1

Hi,

these two issues have been already fixed with the 5.6-1 upload which
happened just minutes after the embargo for these issues was over.

Because of the embargo there wasn't a proper bug report yet. So this bug
report is primarily to track the fix of these issues in Debian Buster,
Stretch and maybe also in Debian (E)LTS releases.

>From the upstream 5.6 release notes:
> CVE-2018-0502: Data from the second line of a #! script file might be
> passed to execve().  For example, in the following situation -
>
>     printf '#!foo\nbar' > baz
>     ./baz
>
> the shell might take "bar" rather than "foo" for the argv[0] to be
> passed to execve().  [ Reported by Anthony Sottile and Buck Evan. ]
>
> CVE-2018-13259: A shebang line longer than 64 characters would be
> truncated.  For example, in the following situation:
>
>     ( printf '#!'; repeat 64 printf 'x'; printf 'y' ) > foo
>     ./foo
>
> the shell might execute x...x (64 repetitions) rather than x...xy (64
> x's, one y).  [ Reported by Daniel Shahaf. ]

Links into the Debian Security Tracker:

https://security-tracker.debian.org/tracker/CVE-2018-0502
https://security-tracker.debian.org/tracker/CVE-2018-13259

(JFTR: The Debian Security Team doesn't consider a DSA necessary for
these issues and recommends to fix the issues in Stretch via the next
Debian Minor Stable Update.)

Upstream release announcement:

https://www.zsh.org/mla/zsh-announce/136

Upstream fix/patch:

https://sourceforge.net/p/zsh/code/ci/1c4c7b6a4d17294df028322b70c53803a402233d

(Details about affected versions will follow soon.)



More information about the Pkg-zsh-devel mailing list