Ubuntu has issued an advisory on March 27: https://usn.ubuntu.com/3608-1/ Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
Assigning to the registered maintainer.
Assignee: bugsquad => shlomifCC: (none) => marja11
Already fixed in mga7 by the 5.5 version (according to the ChangeLog.)
Version: Cauldron => 6Status: NEW => ASSIGNED
Can I upgrade the mga6 package to zsh 5.5 too?
I'm not familiar enough with it to say, but as long as there aren't any incompatible changes, it should be fine.
Updated version also submitted by Shlomi to fix this for Mageia 6. Advisory: ======================== Updated zsh packages fix security vulnerabilities: Richard Maciel Costa discovered that Zsh incorrectly handled certain inputs. An attacker could possibly use this to cause a denial of service (CVE-2018-1071). It was discovered that Zsh incorrectly handled certain files. An attacker could possibly use this to execute arbitrary code (CVE-2018-1083). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1071 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1083 https://usn.ubuntu.com/3608-1/ ======================== Updated packages in core/updates_testing: ======================== zsh-5.5-1.1.mga6 zsh-doc-5.5-1.1.mga6 from zsh-5.5-1.1.mga6.src.rpm
Assignee: shlomif => qa-bugsWhiteboard: MGA6TOO => (none)CC: (none) => shlomif
Mageia 6, x86_64 Installed zsh then updated it. Changed user shell to /bin/zsh $ sudo chsh lcl then logged out and in. $ echo $SHELL /bin/zsh Open terminal windows all displayed the initial configuration dialogue to create a .zshrc file. Executed the configuration in one xterm and used quit in two others. $ cat .zshrc # Lines configured by zsh-newuser-install HISTFILE=~/.histfile HISTSIZE=1000 SAVEHIST=1000 setopt autocd bindkey -e # End of lines configured by zsh-newuser-install # The following lines were added by compinstall zstyle :compinstall filename '/home/lcl/.zshrc' autoload -Uz compinit compinit # End of lines added by compinstall All the normal terminal commands/keys seemed to work just as in bash. Tried history, !1, cut&paste into an editor, cd, ll .... My keyboard command mappings for emacs worked as before. Tab for file completion worked; and also for command completion. Another login cycle to make sure everything was still running properly. None of the six xterms showed the configuration dialogue any more. In the absence of any obvious PoC this is about all we can do for this bug. Giving it the OK.
CC: (none) => tarazed25Whiteboard: (none) => MGA6-64-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0206.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
Fedora has issued an advisory for this on April 17: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YXTE6OF43VIKZO66REB25GZTGRUG2Z24/ This update also fixed CVE-2018-1100.
Summary: zsh new security issues CVE-2018-1071 and CVE-2018-1083 => zsh new security issues CVE-2018-1071, CVE-2018-1083, and CVE-2018-1100