Bug 22846 - zsh new security issues CVE-2018-1071, CVE-2018-1083, and CVE-2018-1100
Summary: zsh new security issues CVE-2018-1071, CVE-2018-1083, and CVE-2018-1100
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-03-31 21:38 CEST by David Walser
Modified: 2018-04-22 00:01 CEST (History)
4 users (show)

See Also:
Source RPM: zsh-5.3.1-1.2.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-03-31 21:38:52 CEST
Ubuntu has issued an advisory on March 27:
https://usn.ubuntu.com/3608-1/

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-03-31 21:38:59 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-03-31 22:18:26 CEST
Assigning to the registered maintainer.

Assignee: bugsquad => shlomif
CC: (none) => marja11

Comment 2 Shlomi Fish 2018-04-13 19:20:06 CEST
Already fixed in mga7 by the 5.5 version (according to the ChangeLog.)

Status: NEW => ASSIGNED
Version: Cauldron => 6

Comment 3 Shlomi Fish 2018-04-13 19:24:22 CEST
Can I upgrade the mga6 package to zsh 5.5 too?
Comment 4 David Walser 2018-04-14 02:05:55 CEST
I'm not familiar enough with it to say, but as long as there aren't any incompatible changes, it should be fine.
Comment 5 David Walser 2018-04-14 16:13:29 CEST
Updated version also submitted by Shlomi to fix this for Mageia 6.

Advisory:
========================

Updated zsh packages fix security vulnerabilities:

Richard Maciel Costa discovered that Zsh incorrectly handled certain inputs. An
attacker could possibly use this to cause a denial of service (CVE-2018-1071).

It was discovered that Zsh incorrectly handled certain files. An attacker could
possibly use this to execute arbitrary code (CVE-2018-1083).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1071
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1083
https://usn.ubuntu.com/3608-1/
========================

Updated packages in core/updates_testing:
========================
zsh-5.5-1.1.mga6
zsh-doc-5.5-1.1.mga6

from zsh-5.5-1.1.mga6.src.rpm

CC: (none) => shlomif
Whiteboard: MGA6TOO => (none)
Assignee: shlomif => qa-bugs

Comment 6 Len Lawrence 2018-04-15 17:16:48 CEST
Mageia 6, x86_64

Installed zsh then updated it.  Changed user shell to /bin/zsh
$ sudo chsh lcl

then logged out and in.  
$ echo $SHELL
/bin/zsh

Open terminal windows all displayed the initial configuration dialogue to create a .zshrc file.  Executed the configuration in one xterm and used quit in two others.
$ cat .zshrc
# Lines configured by zsh-newuser-install
HISTFILE=~/.histfile
HISTSIZE=1000
SAVEHIST=1000
setopt autocd
bindkey -e
# End of lines configured by zsh-newuser-install
# The following lines were added by compinstall
zstyle :compinstall filename '/home/lcl/.zshrc'

autoload -Uz compinit
compinit
# End of lines added by compinstall

All the normal terminal commands/keys seemed to work just as in bash.
Tried history, !1, cut&paste into an editor, cd, ll ....
My keyboard command mappings for emacs worked as before.  Tab for file completion worked; and also for command completion.

Another login cycle to make sure everything was still running properly.  None of the six xterms showed the configuration dialogue any more.

In the absence of any obvious PoC this is about all we can do for this bug.
Giving it the OK.

Whiteboard: (none) => MGA6-64-OK
CC: (none) => tarazed25

Len Lawrence 2018-04-17 23:57:43 CEST

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Lewis Smith 2018-04-20 08:56:34 CEST

Keywords: (none) => advisory

Comment 7 Mageia Robot 2018-04-20 19:24:59 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0206.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 8 David Walser 2018-04-22 00:01:11 CEST
Fedora has issued an advisory for this on April 17:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YXTE6OF43VIKZO66REB25GZTGRUG2Z24/

This update also fixed CVE-2018-1100.

Summary: zsh new security issues CVE-2018-1071 and CVE-2018-1083 => zsh new security issues CVE-2018-1071, CVE-2018-1083, and CVE-2018-1100


Note You need to log in before you can comment on or make changes to this bug.