Debian Bug report logs -
#908000
zsh: CVE-2018-0502 + CVE-2018-13259: Two security bugs in shebang line parsing
Reported by: Axel Beckert <abe@debian.org>
Date: Wed, 5 Sep 2018 00:27:02 UTC
Severity: grave
Tags: security
Found in versions zsh/5.5.1-1, zsh/5.3.1-4
Fixed in version zsh/5.6-1
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, abe@debian.org, danielsh@apache.org, team@security.debian.org, Debian Zsh Maintainers <pkg-zsh-devel@lists.alioth.debian.org>:
Bug#908000; Package zsh.
(Wed, 05 Sep 2018 00:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Axel Beckert <abe@debian.org>:
New Bug report received and forwarded. Copy sent to abe@debian.org, danielsh@apache.org, team@security.debian.org, Debian Zsh Maintainers <pkg-zsh-devel@lists.alioth.debian.org>.
(Wed, 05 Sep 2018 00:27:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: zsh
Version: 5.5.1-1
Severity: grave
Tags: security
Control: found -1 5.3.1-4
Control: fixed -1 5.6-1
Hi,
these two issues have been already fixed with the 5.6-1 upload which
happened just minutes after the embargo for these issues was over.
Because of the embargo there wasn't a proper bug report yet. So this bug
report is primarily to track the fix of these issues in Debian Buster,
Stretch and maybe also in Debian (E)LTS releases.
From the upstream 5.6 release notes:
> CVE-2018-0502: Data from the second line of a #! script file might be
> passed to execve(). For example, in the following situation -
>
> printf '#!foo\nbar' > baz
> ./baz
>
> the shell might take "bar" rather than "foo" for the argv[0] to be
> passed to execve(). [ Reported by Anthony Sottile and Buck Evan. ]
>
> CVE-2018-13259: A shebang line longer than 64 characters would be
> truncated. For example, in the following situation:
>
> ( printf '#!'; repeat 64 printf 'x'; printf 'y' ) > foo
> ./foo
>
> the shell might execute x...x (64 repetitions) rather than x...xy (64
> x's, one y). [ Reported by Daniel Shahaf. ]
Links into the Debian Security Tracker:
https://security-tracker.debian.org/tracker/CVE-2018-0502
https://security-tracker.debian.org/tracker/CVE-2018-13259
(JFTR: The Debian Security Team doesn't consider a DSA necessary for
these issues and recommends to fix the issues in Stretch via the next
Debian Minor Stable Update.)
Upstream release announcement:
https://www.zsh.org/mla/zsh-announce/136
Upstream fix/patch:
https://sourceforge.net/p/zsh/code/ci/1c4c7b6a4d17294df028322b70c53803a402233d
(Details about affected versions will follow soon.)
Marked as found in versions zsh/5.3.1-4.
Request was from Axel Beckert <abe@debian.org>
to submit@bugs.debian.org.
(Wed, 05 Sep 2018 00:27:04 GMT) (full text, mbox, link).
Marked as fixed in versions zsh/5.6-1.
Request was from Axel Beckert <abe@debian.org>
to submit@bugs.debian.org.
(Wed, 05 Sep 2018 00:27:05 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:10:16 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon