Browse code
zsh : Fix CVE-2018-1083
Change-Id: Iac43cb03bcb23d9180d52ea05a6190b2dbb6329f
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/5080
Tested-by: Xiaolin Li <xiaolinl@vmware.com>
Reviewed-by: Sharath George
Xiaolin Li authored on 2018/04/25 06:01:01Showing 2 changed files
| 1 | 1 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,32 @@ |
| 0 |
+https://sourceforge.net/p/zsh/code/ci/259ac472eac291c8c103c7a0d8a4eaf3c2942ed7 |
|
| 1 |
+Commit [259ac4] Maximize History |
|
| 2 |
+42519, CVE-2018-1083: check bounds on PATH_MAX-sized buffer used for file completion candidates |
|
| 3 |
+--- a/Src/Zle/compctl.c |
|
| 4 |
+@@ -2176,6 +2176,8 @@ |
|
| 5 |
+ if (prpre && *prpre) {
|
|
| 6 |
+ pathpref = dupstring(prpre); |
|
| 7 |
+ unmetafy(pathpref, &pathpreflen); |
|
| 8 |
++ if (pathpreflen > PATH_MAX) |
|
| 9 |
++ return; |
|
| 10 |
+ /* system needs NULL termination, not provided by unmetafy */ |
|
| 11 |
+ pathpref[pathpreflen] = '\0'; |
|
| 12 |
+ } else {
|
|
| 13 |
+@@ -2218,6 +2220,8 @@ |
|
| 14 |
+ * the path buffer by appending the filename. */ |
|
| 15 |
+ ums = dupstring(n); |
|
| 16 |
+ unmetafy(ums, ¨en); |
|
| 17 |
++ if (umlen + pathpreflen + 1 > PATH_MAX) |
|
| 18 |
++ continue; |
|
| 19 |
+ memcpy(q, ums, umlen); |
|
| 20 |
+ q[umlen] = '\0'; |
|
| 21 |
+ /* And do the stat. */ |
|
| 22 |
+@@ -2232,6 +2236,8 @@ |
|
| 23 |
+ /* We have to test for a path suffix. */ |
|
| 24 |
+ int o = strlen(p), tt; |
|
| 25 |
+ |
|
| 26 |
++ if (o + strlen(psuf) > PATH_MAX) |
|
| 27 |
++ continue; |
|
| 28 |
+ /* Append it to the path buffer. */ |
|
| 29 |
+ strcpy(p + o, psuf); |
|
| 30 |
+ |
|
| 0 | 31 |
\ No newline at end of file |
| ... | ... |
@@ -3,7 +3,7 @@ |
| 3 | 3 |
Summary: Z shell |
| 4 | 4 |
Name: zsh |
| 5 | 5 |
Version: 5.3.1 |
| 6 |
-Release: 6%{?dist}
|
|
| 6 |
+Release: 7%{?dist}
|
|
| 7 | 7 |
License: MIT |
| 8 | 8 |
URL: http://zsh.sourceforge.net/ |
| 9 | 9 |
Group: System Environment/Shells |
| ... | ... |
@@ -15,6 +15,7 @@ Source1: zprofile.rhs |
| 15 | 15 |
Source2: zshrc |
| 16 | 16 |
Patch0: zsh-CVE-2018-7548.patch |
| 17 | 17 |
Patch1: zsh-CVE-2018-7549.patch |
| 18 |
+Patch2: zsh-CVE-2018-1083.patch |
|
| 18 | 19 |
|
| 19 | 20 |
BuildRequires: coreutils |
| 20 | 21 |
BuildRequires: tar |
| ... | ... |
@@ -62,6 +63,7 @@ This package contains the Zsh manual in html format. |
| 62 | 62 |
%setup -q |
| 63 | 63 |
%patch0 -p1 |
| 64 | 64 |
%patch1 -p1 |
| 65 |
+%patch2 -p1 |
|
| 65 | 66 |
|
| 66 | 67 |
%build |
| 67 | 68 |
# make loading of module's dependencies work again (#1277996) |
| ... | ... |
@@ -148,6 +150,8 @@ fi |
| 148 | 148 |
%doc Doc/*.html |
| 149 | 149 |
|
| 150 | 150 |
%changelog |
| 151 |
+* Tue Apr 24 2018 Xiaolin Li <xiaolinl@vmware.com> 5.3.1-7 |
|
| 152 |
+- Fix CVE-2018-1083 |
|
| 151 | 153 |
* Tue Apr 17 2018 Xiaolin Li <xiaolinl@vmware.com> 5.3.1-6 |
| 152 | 154 |
- Fix CVE-2018-7549 |
| 153 | 155 |
* Mon Mar 19 2018 Xiaolin Li <xiaolinl@vmware.com> 5.3.1-5 |