Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 665278 (CVE-2018-0502, CVE-2018-13259) - <app-shells/zsh-5.6: multiple vulnerabilities (CVE-2018-{0502,13259})
Summary: <app-shells/zsh-5.6: multiple vulnerabilities (CVE-2018-{0502,13259})
Status: RESOLVED FIXED
Alias: CVE-2018-0502, CVE-2018-13259
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://sourceforge.net/p/zsh/code/ci...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-09-05 15:26 UTC by Dimitris Nakos (sokan)
Modified: 2019-03-10 02:23 UTC (History)
2 users (show)

See Also:
Package list:
app-shells/zsh-5.6.2
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Dimitris Nakos (sokan) 2018-09-05 15:26:27 UTC
CVE-2018-13259
An issue was discovered in zsh before 5.6. Shebang lines exceeding 64 characters were truncated, potentially leading to an execve call to a program name that is a substring of the intended one. 

CVE-2018-0502
An issue was discovered in zsh before 5.6. The beginning of a #! script file was mishandled, potentially leading to an execve call to a program named on the second line. 

Demetris Nakos
-Gentoo Security Padawan-
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2018-09-05 17:29:00 UTC
@ Maintainer(s): Can we already start stabilization of =app-shells/zsh-5.6?
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2018-12-02 17:01:32 UTC
@arches, please stabilize.
Comment 3 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-12-03 06:46:17 UTC
amd64 stable
Comment 4 Rolf Eike Beer archtester 2018-12-05 17:35:08 UTC
sparc stable
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2018-12-07 02:44:03 UTC
x86 stable
Comment 6 Mart Raudsepp gentoo-dev 2018-12-07 19:06:14 UTC
arm64 stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2018-12-08 10:03:28 UTC
ia64 stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2018-12-08 10:23:49 UTC
ppc stable
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2018-12-08 10:56:35 UTC
ppc64 stable
Comment 10 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-12-08 11:52:18 UTC
arm stable
Comment 11 Matt Turner gentoo-dev 2018-12-23 03:20:57 UTC
alpha stable
Comment 12 Matt Turner gentoo-dev 2018-12-30 20:23:23 UTC
hppa stable. all arches stable
Comment 13 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2018-12-30 22:31:03 UTC
D'uh... sorry guys. I completely forgot this being a security bug...
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2019-03-10 02:23:34 UTC
This issue was resolved and addressed in
 GLSA 201903-02 at https://security.gentoo.org/glsa/201903-02
by GLSA coordinator Aaron Bauman (b-man).