Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 665278 (CVE-2018-0502, CVE-2018-13259)

Summary: <app-shells/zsh-5.6: multiple vulnerabilities (CVE-2018-{0502,13259})
Product: Gentoo Security Reporter: Dimitris Nakos (sokan) <sokan>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: polynomial-c, radhermit
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://sourceforge.net/p/zsh/code/ci/zsh-5.6/tree/NEWS
Whiteboard: B2 [glsa+ cve]
Package list:
app-shells/zsh-5.6.2
 Runtime testing required: ---

Description Dimitris Nakos (sokan) 2018-09-05 15:26:27 UTC 
CVE-2018-13259
An issue was discovered in zsh before 5.6. Shebang lines exceeding 64 characters were truncated, potentially leading to an execve call to a program name that is a substring of the intended one. 

CVE-2018-0502
An issue was discovered in zsh before 5.6. The beginning of a #! script file was mishandled, potentially leading to an execve call to a program named on the second line. 

Demetris Nakos
-Gentoo Security Padawan-
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2018-09-05 17:29:00 UTC 
@ Maintainer(s): Can we already start stabilization of =app-shells/zsh-5.6?
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2018-12-02 17:01:32 UTC 
@arches, please stabilize.
Comment 3 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-12-03 06:46:17 UTC 
amd64 stable
Comment 4 Rolf Eike Beer archtester 2018-12-05 17:35:08 UTC 
sparc stable
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2018-12-07 02:44:03 UTC 
x86 stable
Comment 6 Mart Raudsepp gentoo-dev 2018-12-07 19:06:14 UTC 
arm64 stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2018-12-08 10:03:28 UTC 
ia64 stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2018-12-08 10:23:49 UTC 
ppc stable
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2018-12-08 10:56:35 UTC 
ppc64 stable
Comment 10 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-12-08 11:52:18 UTC 
arm stable
Comment 11 Matt Turner gentoo-dev 2018-12-23 03:20:57 UTC 
alpha stable
Comment 12 Matt Turner gentoo-dev 2018-12-30 20:23:23 UTC 
hppa stable. all arches stable
Comment 13 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2018-12-30 22:31:03 UTC 
D'uh... sorry guys. I completely forgot this being a security bug...
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2019-03-10 02:23:34 UTC 
This issue was resolved and addressed in
 GLSA 201903-02 at https://security.gentoo.org/glsa/201903-02
by GLSA coordinator Aaron Bauman (b-man).