Security update for zsh SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:1093-1 Final 1 1 2018-04-26T17:48:59Z current 2018-04-26T17:48:59Z 2018-04-26T17:48:59Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for zsh This update for zsh fixes the following issues: - CVE-2014-10070: environment variable injection could lead to local privilege escalation (bnc#1082885) - CVE-2014-10071: buffer overflow in exec.c could lead to denial of service. (bnc#1082977) - CVE-2014-10072: buffer overflow In utils.c when scanning very long directory paths for symbolic links. (bnc#1082975) - CVE-2016-10714: In zsh before 5.3, an off-by-one error resulted in undersized buffers that were intended to support PATH_MAX characters. (bnc#1083250) - CVE-2017-18205: In builtin.c when sh compatibility mode is used, a NULL pointer dereference could lead to denial of service (bnc#1082998) - CVE-2018-1071: exec.c:hashcmd() function vulnerability could lead to denial of service. (bnc#1084656) - CVE-2018-1083: Autocomplete vulnerability could lead to privilege escalation. (bnc#1087026) - CVE-2018-7549: In params.c in zsh through 5.4.2, there is a crash during a copy of an empty hash table, as demonstrated by typeset -p. (bnc#1082991) - CVE-2017-18206: buffer overrun in xsymlinks could lead to denial of service (bnc#1083002) - Autocomplete and REPORTTIME broken (bsc#896914) This update was imported from the SUSE:SLE-12:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2018-04/msg00073.html E-Mail link for openSUSE-SU-2018:1093-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.3 zsh-5.0.5-9.3.1 zsh-htmldoc-5.0.5-9.3.1 zsh-5.0.5-9.3.1 as a component of openSUSE Leap 42.3 zsh-htmldoc-5.0.5-9.3.1 as a component of openSUSE Leap 42.3 zsh before 5.0.7 allows evaluation of the initial values of integer variables imported from the environment (instead of treating them as literal numbers). That could allow local privilege escalation, under some specific and atypical conditions where zsh is being invoked in privilege-elevation contexts when the environment has not been properly sanitized, such as when zsh is invoked by sudo on systems where "env_reset" has been disabled. CVE-2014-10070 openSUSE Leap 42.3:zsh-5.0.5-9.3.1 openSUSE Leap 42.3:zsh-htmldoc-5.0.5-9.3.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-04/msg00073.html https://www.suse.com/security/cve/CVE-2014-10070.html CVE-2014-10070 https://bugzilla.suse.com/1082885 SUSE Bug 1082885 In exec.c in zsh before 5.0.7, there is a buffer overflow for very long fds in the ">& fd" syntax. CVE-2014-10071 openSUSE Leap 42.3:zsh-5.0.5-9.3.1 openSUSE Leap 42.3:zsh-htmldoc-5.0.5-9.3.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-04/msg00073.html https://www.suse.com/security/cve/CVE-2014-10071.html CVE-2014-10071 https://bugzilla.suse.com/1082977 SUSE Bug 1082977 In utils.c in zsh before 5.0.6, there is a buffer overflow when scanning very long directory paths for symbolic links. CVE-2014-10072 openSUSE Leap 42.3:zsh-5.0.5-9.3.1 openSUSE Leap 42.3:zsh-htmldoc-5.0.5-9.3.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-04/msg00073.html https://www.suse.com/security/cve/CVE-2014-10072.html CVE-2014-10072 https://bugzilla.suse.com/1082975 SUSE Bug 1082975 In zsh before 5.3, an off-by-one error resulted in undersized buffers that were intended to support PATH_MAX characters. CVE-2016-10714 openSUSE Leap 42.3:zsh-5.0.5-9.3.1 openSUSE Leap 42.3:zsh-htmldoc-5.0.5-9.3.1 low Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-04/msg00073.html https://www.suse.com/security/cve/CVE-2016-10714.html CVE-2016-10714 https://bugzilla.suse.com/1083250 SUSE Bug 1083250 In builtin.c in zsh before 5.4, when sh compatibility mode is used, there is a NULL pointer dereference during processing of the cd command with no argument if HOME is not set. CVE-2017-18205 openSUSE Leap 42.3:zsh-5.0.5-9.3.1 openSUSE Leap 42.3:zsh-htmldoc-5.0.5-9.3.1 low Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-04/msg00073.html https://www.suse.com/security/cve/CVE-2017-18205.html CVE-2017-18205 https://bugzilla.suse.com/1082998 SUSE Bug 1082998 In utils.c in zsh before 5.4, symlink expansion had a buffer overflow. CVE-2017-18206 openSUSE Leap 42.3:zsh-5.0.5-9.3.1 openSUSE Leap 42.3:zsh-htmldoc-5.0.5-9.3.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-04/msg00073.html https://www.suse.com/security/cve/CVE-2017-18206.html CVE-2017-18206 https://bugzilla.suse.com/1083002 SUSE Bug 1083002 zsh through version 5.4.2 is vulnerable to a stack-based buffer overflow in the exec.c:hashcmd() function. A local attacker could exploit this to cause a denial of service. CVE-2018-1071 openSUSE Leap 42.3:zsh-5.0.5-9.3.1 openSUSE Leap 42.3:zsh-htmldoc-5.0.5-9.3.1 low Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-04/msg00073.html https://www.suse.com/security/cve/CVE-2018-1071.html CVE-2018-1071 https://bugzilla.suse.com/1084656 SUSE Bug 1084656 Zsh before version 5.4.2-test-1 is vulnerable to a buffer overflow in the shell autocomplete functionality. A local unprivileged user can create a specially crafted directory path which leads to code execution in the context of the user who tries to use autocomplete to traverse the before mentioned path. If the user affected is privileged, this leads to privilege escalation. CVE-2018-1083 openSUSE Leap 42.3:zsh-5.0.5-9.3.1 openSUSE Leap 42.3:zsh-htmldoc-5.0.5-9.3.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-04/msg00073.html https://www.suse.com/security/cve/CVE-2018-1083.html CVE-2018-1083 https://bugzilla.suse.com/1087026 SUSE Bug 1087026 In params.c in zsh through 5.4.2, there is a crash during a copy of an empty hash table, as demonstrated by typeset -p. CVE-2018-7549 openSUSE Leap 42.3:zsh-5.0.5-9.3.1 openSUSE Leap 42.3:zsh-htmldoc-5.0.5-9.3.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-04/msg00073.html https://www.suse.com/security/cve/CVE-2018-7549.html CVE-2018-7549 https://bugzilla.suse.com/1082991 SUSE Bug 1082991