Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 651860 (CVE-2018-1083) - <app-shells/zsh-5.5: buffer overflow
Summary: <app-shells/zsh-5.5: buffer overflow
Status: RESOLVED FIXED
Alias: CVE-2018-1083
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa+ cve]
Keywords:
Depends on:
Blocks: CVE-2017-18205, CVE-2017-18206, CVE-2018-1071, CVE-2018-7548, CVE-2018-7549 CVE-2018-1100
  Show dependency tree
 
Reported: 2018-03-28 18:30 UTC by Michael Boyle
Modified: 2018-07-02 15:59 UTC (History)
2 users (show)

See Also:
Package list:
app-shells/zsh-5.5
Runtime testing required: Yes
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Boyle 2018-03-28 18:30:39 UTC
CVE-2018-1083

Zsh before version 5.4.2-test-1 is vulnerable to a buffer overflow in the shell autocomplete functionality. A local unprivileged user can create a specially crafted directory path which leads to code execution in the context of the user who tries to use autocomplete to traverse the before mentioned path. If the user affected is privileged, this leads to privilege escalation.
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2018-04-08 21:58:52 UTC
This is not fixed in the upstream 5.4.2 source.
Comment 2 Rolf Eike Beer archtester 2018-04-09 17:53:40 UTC
Please set "Package list" field.
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2018-04-09 17:56:12 UTC
(In reply to Rolf Eike Beer from comment #2)
> Please set "Package list" field.

Rolf, there is no fixed version yet for this, hence no packages can be added to the package list field.
Comment 4 Tim Harder gentoo-dev 2018-04-09 20:24:03 UTC
(In reply to Aaron Bauman from comment #3)
> (In reply to Rolf Eike Beer from comment #2)
> > Please set "Package list" field.
> 
> Rolf, there is no fixed version yet for this, hence no packages can be added
> to the package list field.

I assume this is fixed in 5.5 which is in the tree now that you could start stabilization for if you wanted to.
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2018-04-09 20:47:00 UTC
(In reply to Tim Harder from comment #4)
> (In reply to Aaron Bauman from comment #3)
> > (In reply to Rolf Eike Beer from comment #2)
> > > Please set "Package list" field.
> > 
> > Rolf, there is no fixed version yet for this, hence no packages can be added
> > to the package list field.
> 
> I assume this is fixed in 5.5 which is in the tree now that you could start
> stabilization for if you wanted to.

Thanks for the bump, Tim!  It does indeed contain the fix.

@arches, please stabilize.
Comment 6 Tobias Klausmann (RETIRED) gentoo-dev 2018-04-10 11:33:09 UTC
Stable on alpha.
Comment 7 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-04-10 11:45:00 UTC
amd64 stable
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2018-04-11 20:39:39 UTC
x86 stable
Comment 9 Larry the Git Cow gentoo-dev 2018-04-11 21:22:11 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bf003d922e7fab0ed4b5a032fc02ef97cab5e9f3

commit bf003d922e7fab0ed4b5a032fc02ef97cab5e9f3
Author:     Rolf Eike Beer <eike@sf-mail.de>
AuthorDate: 2018-04-11 21:10:31 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-04-11 21:21:52 +0000

    app-shells/zsh: stable 5.5 for sparc
    
    Bug: https://bugs.gentoo.org/651860
    Package-Manager: Portage-2.3.24, Repoman-2.3.6
    RepoMan-Options: --include-arches="sparc"

 app-shells/zsh/zsh-5.5.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)}
Comment 10 Mart Raudsepp gentoo-dev 2018-04-12 10:29:39 UTC
arm64 stable
Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev 2018-04-13 19:32:39 UTC
commit 27df19524709fde3007fdd527e1692e6a95fb158
Author: Jeroen Roovers <jer@gentoo.org>
Date:   Thu Apr 12 13:08:58 2018 +0200

    app-shells/zsh: Stable for HPPA too.
Comment 12 Larry the Git Cow gentoo-dev 2018-04-16 21:03:13 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=031aadc8a6caff6a4699bdd6d56bb462df61bc22

commit 031aadc8a6caff6a4699bdd6d56bb462df61bc22
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2018-04-16 20:55:53 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-04-16 21:02:59 +0000

    app-shells/zsh: stable 5.5 for ia64, bug #651860
    
    Bug: https://bugs.gentoo.org/651860
    Package-Manager: Portage-2.3.28, Repoman-2.3.9
    RepoMan-Options: --include-arches="ia64"

 app-shells/zsh/zsh-5.5.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)}
Comment 13 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-04-19 20:55:14 UTC
arm stable
Comment 14 Larry the Git Cow gentoo-dev 2018-04-20 21:27:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6d82e71cf188caa351fd4d4864ef12791be71796

commit 6d82e71cf188caa351fd4d4864ef12791be71796
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2018-04-20 21:26:42 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-04-20 21:27:33 +0000

    app-shells/zsh: stable 5.5 for ppc64, bug #651860
    
    Bug: https://bugs.gentoo.org/651860
    Package-Manager: Portage-2.3.28, Repoman-2.3.9
    RepoMan-Options: --include-arches="ppc64"

 app-shells/zsh/zsh-5.5.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)}
Comment 15 ernsteiswuerfel archtester 2018-04-22 01:17:52 UTC
ppc

All tests with USE="-unicode" fail (see bug #653704), and rdep mercurial fails (see bug #608720).

# cat zsh-651860.report 
USE tests started on Sa 21. Apr 13:04:07 CEST 2018

USE='caps doc examples -gdbm maildir -pcre -static -unicode' failed for =app-shells/zsh-5.5
USE='caps -doc -examples -gdbm -maildir pcre -static -unicode' failed for =app-shells/zsh-5.5
USE='-caps doc -examples -gdbm -maildir pcre -static -unicode' failed for =app-shells/zsh-5.5
USE='-caps doc examples -gdbm -maildir pcre -static -unicode' failed for =app-shells/zsh-5.5
USE='caps -doc -examples gdbm -maildir -pcre static -unicode' failed for =app-shells/zsh-5.5
USE='caps doc examples -gdbm -maildir pcre static -unicode' failed for =app-shells/zsh-5.5
USE='caps doc examples gdbm -maildir -pcre -static unicode'  succeeded for =app-shells/zsh-5.5
USE='caps doc examples -gdbm maildir -pcre -static unicode'  succeeded for =app-shells/zsh-5.5
USE='-caps doc -examples -gdbm -maildir pcre -static unicode'  succeeded for =app-shells/zsh-5.5
USE='caps -doc -examples gdbm -maildir pcre -static unicode'  succeeded for =app-shells/zsh-5.5
USE='-caps -doc examples gdbm -maildir pcre -static unicode'  succeeded for =app-shells/zsh-5.5
USE='-caps doc examples -gdbm maildir -pcre static unicode'  succeeded for =app-shells/zsh-5.5
 FEATURES= test succeeded for =app-shells/zsh-5.5

revdep tests started on Sa 21. Apr 17:24:30 CEST 2018

FEATURES= test USE='' succeeded for app-shells/gentoo-zsh-completions
FEATURES= test USE='zsh-completion' succeeded for dev-util/ninja
USE='zsh-completion' FEATURES=' test' failed for dev-vcs/mercurial
FEATURES= test USE='' succeeded for x11-misc/viewglob
Comment 16 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-05-26 12:52:32 UTC
ppc stable
Comment 17 Aaron Bauman (RETIRED) gentoo-dev 2018-05-26 14:02:11 UTC
GLSA request filed

@maintainer(s), please clean.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2018-05-26 15:42:01 UTC
This issue was resolved and addressed in
 GLSA 201805-10 at https://security.gentoo.org/glsa/201805-10
by GLSA coordinator Christopher Diaz Riveros (chrisadr).
Comment 19 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-05-26 15:43:00 UTC
Re-open for cleanup.

Thanks.
Comment 20 Aaron Bauman (RETIRED) gentoo-dev 2018-06-07 20:23:49 UTC
@maintainer(s), please clean vulnerable.
Comment 21 Michael Boyle 2018-07-02 02:49:16 UTC
@maintainer(s), please clean vulnerable.

Michael Boyle
Security Padawan
Comment 22 Larry the Git Cow gentoo-dev 2018-07-02 07:48:27 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e544d4c60f846622daf1fffde0fede19dee03a7e

commit e544d4c60f846622daf1fffde0fede19dee03a7e
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2018-07-02 07:47:58 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2018-07-02 07:48:21 +0000

    app-shells/zsh: Security cleanup.
    
    Bug: https://bugs.gentoo.org/651860
    Package-Manager: Portage-2.3.41, Repoman-2.3.9

 app-shells/zsh/Manifest            |   4 -
 app-shells/zsh/files/zprofile-1    |  42 -------
 app-shells/zsh/files/zprofile-2    |  41 -------
 app-shells/zsh/zsh-5.3.1.ebuild    | 217 -------------------------------------
 app-shells/zsh/zsh-5.4.2-r1.ebuild | 211 ------------------------------------
 5 files changed, 515 deletions(-)
Comment 23 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-07-02 15:59:18 UTC
Everything done, thank you all.