Ubuntu has issued an advisory on March 27:
Mageia 5 and Mageia 6 are also affected.
Assigning to the registered maintainer.
Already fixed in mga7 by the 5.5 version (according to the ChangeLog.)
Can I upgrade the mga6 package to zsh 5.5 too?
I'm not familiar enough with it to say, but as long as there aren't any incompatible changes, it should be fine.
Updated version also submitted by Shlomi to fix this for Mageia 6.
Updated zsh packages fix security vulnerabilities:
Richard Maciel Costa discovered that Zsh incorrectly handled certain inputs. An
attacker could possibly use this to cause a denial of service (CVE-2018-1071).
It was discovered that Zsh incorrectly handled certain files. An attacker could
possibly use this to execute arbitrary code (CVE-2018-1083).
Updated packages in core/updates_testing:
Mageia 6, x86_64
Installed zsh then updated it. Changed user shell to /bin/zsh
$ sudo chsh lcl
then logged out and in.
$ echo $SHELL
Open terminal windows all displayed the initial configuration dialogue to create a .zshrc file. Executed the configuration in one xterm and used quit in two others.
$ cat .zshrc
# Lines configured by zsh-newuser-install
# End of lines configured by zsh-newuser-install
# The following lines were added by compinstall
zstyle :compinstall filename '/home/lcl/.zshrc'
autoload -Uz compinit
# End of lines added by compinstall
All the normal terminal commands/keys seemed to work just as in bash.
Tried history, !1, cut&paste into an editor, cd, ll ....
My keyboard command mappings for emacs worked as before. Tab for file completion worked; and also for command completion.
Another login cycle to make sure everything was still running properly. None of the six xterms showed the configuration dialogue any more.
In the absence of any obvious PoC this is about all we can do for this bug.
Giving it the OK.
An update for this issue has been pushed to the Mageia Updates repository.
Fedora has issued an advisory for this on April 17:
This update also fixed CVE-2018-1100.
zsh new security issues CVE-2018-1071 and CVE-2018-1083 =>
zsh new security issues CVE-2018-1071, CVE-2018-1083, and CVE-2018-1100