[Pkg-zsh-devel] Multiple vulnerabilities in stable zsh package?

Fri Sep 28 02:09:11 BST 2018

Hello,

It seems that the stable version of the zsh package (5.3.1-4) might be
vulnerable to quite a few security issues:

CVE-2018-7549   In params.c in zsh through 5.4.2, there is a crash during a
                copy of an empty hash table, as demonstrated by typeset -p.
CVE-2018-7548   In subst.c in zsh through 5.4.2, there is a NULL pointer
                dereference when using ${(PA)...} on an empty array result.
CVE-2018-13259  An issue was discovered in zsh before 5.6. Shebang lines
                exceeding 64 characters were truncated, potentially leading to
                an execve call to a program name that is a substring of the
                intended one.
CVE-2018-1100   zsh through version 5.4.2 is vulnerable to a stack-based buffer
                overflow in the utils.c:checkmailpath function. A local
                attacker could exploit this to execute arbitrary code in the
                context of another user.
CVE-2018-1083   Zsh before version 5.4.2-test-1 is vulnerable to a buffer
                overflow in the shell autocomplete functionality. A local
                unprivileged user can create a specially crafted directory path
                which leads to code execution in the context of the user who
                tries to use autocomplete to traverse the before mentioned
                path. If the user affected is privileged, this leads to
                privilege escalation.
CVE-2018-1071   zsh through version 5.4.2 is vulnerable to a stack-based buffer
                overflow in the exec.c:hashcmd() function. A local attacker
                could exploit this to cause a denial of service.
CVE-2018-0502   An issue was discovered in zsh before 5.6. The beginning of a
                #! script file was mishandled, potentially leading to an execve
                call to a program named on the second line.
CVE-2017-18206  In utils.c in zsh before 5.4, symlink expansion had a buffer
                overflow.
CVE-2017-18205  In builtin.c in zsh before 5.4, when sh compatibility mode is
                used, there is a NULL pointer dereference during processing of
                the cd command with no argument if HOME is not set. 

(Source: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=zsh )

I've only found some of the relevant upstream commits (the ones that contain
the string CVE), but those at least seem to cherry-pick cleanly into our stable
version.  Also, Ubuntu has fixes for all of these in their zsh packages
already. Although none of their releases use this exact zsh version, they've
patched versions 5.0.2, 5.1.1 and 5.4.2. For example:
http://changelogs.ubuntu.com/changelogs/pool/main/z/zsh/zsh_5.1.1-1ubuntu2.3/changelog

Unfortunately I don't know enough about working with Debian packages to provide
a complete fix, but if needed I could probably figure out the rest. Hopefully
someone can do it more easily than I :), but if I can be of any help, just
let me know.

-nd.