Security update for zsh SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2018:1072-1 Final 1 1 2018-04-25T12:15:43Z current 2018-04-25T12:15:43Z 2018-04-25T12:15:43Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for zsh This update for zsh fixes the following issues: - CVE-2014-10070: environment variable injection could lead to local privilege escalation (bnc#1082885) - CVE-2014-10071: buffer overflow in exec.c could lead to denial of service. (bnc#1082977) - CVE-2014-10072: buffer overflow In utils.c when scanning very long directory paths for symbolic links. (bnc#1082975) - CVE-2016-10714: In zsh before 5.3, an off-by-one error resulted in undersized buffers that were intended to support PATH_MAX characters. (bnc#1083250) - CVE-2017-18205: In builtin.c when sh compatibility mode is used, a NULL pointer dereference could lead to denial of service (bnc#1082998) - CVE-2018-1071: exec.c:hashcmd() function vulnerability could lead to denial of service. (bnc#1084656) - CVE-2018-1083: Autocomplete vulnerability could lead to privilege escalation. (bnc#1087026) - CVE-2018-7549: In params.c in zsh through 5.4.2, there is a crash during a copy of an empty hash table, as demonstrated by typeset -p. (bnc#1082991) - CVE-2017-18206: buffer overrun in xsymlinks could lead to denial of service (bnc#1083002) - Autocomplete and REPORTTIME broken (bsc#896914) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-DESKTOP-12-SP3-2018-733,SUSE-SLE-SERVER-12-SP3-2018-733 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2018/suse-su-20181072-1/ Link for SUSE-SU-2018:1072-1 https://lists.opensuse.org/opensuse-security-announce/2018-04/msg00070.html E-Mail link for SUSE-SU-2018:1072-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1082885 SUSE Bug 1082885 https://bugzilla.suse.com/1082975 SUSE Bug 1082975 https://bugzilla.suse.com/1082977 SUSE Bug 1082977 https://bugzilla.suse.com/1082991 SUSE Bug 1082991 https://bugzilla.suse.com/1082998 SUSE Bug 1082998 https://bugzilla.suse.com/1083002 SUSE Bug 1083002 https://bugzilla.suse.com/1083250 SUSE Bug 1083250 https://bugzilla.suse.com/1084656 SUSE Bug 1084656 https://bugzilla.suse.com/1087026 SUSE Bug 1087026 https://bugzilla.suse.com/896914 SUSE Bug 896914 https://www.suse.com/security/cve/CVE-2014-10070/ SUSE CVE CVE-2014-10070 page https://www.suse.com/security/cve/CVE-2014-10071/ SUSE CVE CVE-2014-10071 page https://www.suse.com/security/cve/CVE-2014-10072/ SUSE CVE CVE-2014-10072 page https://www.suse.com/security/cve/CVE-2016-10714/ SUSE CVE CVE-2016-10714 page https://www.suse.com/security/cve/CVE-2017-18205/ SUSE CVE CVE-2017-18205 page https://www.suse.com/security/cve/CVE-2017-18206/ SUSE CVE CVE-2017-18206 page https://www.suse.com/security/cve/CVE-2018-1071/ SUSE CVE CVE-2018-1071 page https://www.suse.com/security/cve/CVE-2018-1083/ SUSE CVE CVE-2018-1083 page https://www.suse.com/security/cve/CVE-2018-7549/ SUSE CVE CVE-2018-7549 page SUSE Linux Enterprise Desktop 12 SP3 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP3 zsh-5.0.5-6.7.2 zsh-5.0.5-6.7.2 as a component of SUSE Linux Enterprise Desktop 12 SP3 zsh-5.0.5-6.7.2 as a component of SUSE Linux Enterprise Server 12 SP3 zsh-5.0.5-6.7.2 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP3 zsh before 5.0.7 allows evaluation of the initial values of integer variables imported from the environment (instead of treating them as literal numbers). That could allow local privilege escalation, under some specific and atypical conditions where zsh is being invoked in privilege-elevation contexts when the environment has not been properly sanitized, such as when zsh is invoked by sudo on systems where "env_reset" has been disabled. CVE-2014-10070 SUSE Linux Enterprise Desktop 12 SP3:zsh-5.0.5-6.7.2 SUSE Linux Enterprise Server 12 SP3:zsh-5.0.5-6.7.2 SUSE Linux Enterprise Server for SAP Applications 12 SP3:zsh-5.0.5-6.7.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20181072-1/ https://www.suse.com/security/cve/CVE-2014-10070.html CVE-2014-10070 https://bugzilla.suse.com/1082885 SUSE Bug 1082885 https://bugzilla.suse.com/1200039 SUSE Bug 1200039 https://bugzilla.suse.com/1200209 SUSE Bug 1200209 In exec.c in zsh before 5.0.7, there is a buffer overflow for very long fds in the ">& fd" syntax. CVE-2014-10071 SUSE Linux Enterprise Desktop 12 SP3:zsh-5.0.5-6.7.2 SUSE Linux Enterprise Server 12 SP3:zsh-5.0.5-6.7.2 SUSE Linux Enterprise Server for SAP Applications 12 SP3:zsh-5.0.5-6.7.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20181072-1/ https://www.suse.com/security/cve/CVE-2014-10071.html CVE-2014-10071 https://bugzilla.suse.com/1082977 SUSE Bug 1082977 https://bugzilla.suse.com/1200039 SUSE Bug 1200039 In utils.c in zsh before 5.0.6, there is a buffer overflow when scanning very long directory paths for symbolic links. CVE-2014-10072 SUSE Linux Enterprise Desktop 12 SP3:zsh-5.0.5-6.7.2 SUSE Linux Enterprise Server 12 SP3:zsh-5.0.5-6.7.2 SUSE Linux Enterprise Server for SAP Applications 12 SP3:zsh-5.0.5-6.7.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20181072-1/ https://www.suse.com/security/cve/CVE-2014-10072.html CVE-2014-10072 https://bugzilla.suse.com/1082975 SUSE Bug 1082975 https://bugzilla.suse.com/1200039 SUSE Bug 1200039 In zsh before 5.3, an off-by-one error resulted in undersized buffers that were intended to support PATH_MAX characters. CVE-2016-10714 SUSE Linux Enterprise Desktop 12 SP3:zsh-5.0.5-6.7.2 SUSE Linux Enterprise Server 12 SP3:zsh-5.0.5-6.7.2 SUSE Linux Enterprise Server for SAP Applications 12 SP3:zsh-5.0.5-6.7.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20181072-1/ https://www.suse.com/security/cve/CVE-2016-10714.html CVE-2016-10714 https://bugzilla.suse.com/1083250 SUSE Bug 1083250 https://bugzilla.suse.com/1200039 SUSE Bug 1200039 In builtin.c in zsh before 5.4, when sh compatibility mode is used, there is a NULL pointer dereference during processing of the cd command with no argument if HOME is not set. CVE-2017-18205 SUSE Linux Enterprise Desktop 12 SP3:zsh-5.0.5-6.7.2 SUSE Linux Enterprise Server 12 SP3:zsh-5.0.5-6.7.2 SUSE Linux Enterprise Server for SAP Applications 12 SP3:zsh-5.0.5-6.7.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20181072-1/ https://www.suse.com/security/cve/CVE-2017-18205.html CVE-2017-18205 https://bugzilla.suse.com/1082998 SUSE Bug 1082998 https://bugzilla.suse.com/1200039 SUSE Bug 1200039 In utils.c in zsh before 5.4, symlink expansion had a buffer overflow. CVE-2017-18206 SUSE Linux Enterprise Desktop 12 SP3:zsh-5.0.5-6.7.2 SUSE Linux Enterprise Server 12 SP3:zsh-5.0.5-6.7.2 SUSE Linux Enterprise Server for SAP Applications 12 SP3:zsh-5.0.5-6.7.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20181072-1/ https://www.suse.com/security/cve/CVE-2017-18206.html CVE-2017-18206 https://bugzilla.suse.com/1083002 SUSE Bug 1083002 https://bugzilla.suse.com/1215218 SUSE Bug 1215218 zsh through version 5.4.2 is vulnerable to a stack-based buffer overflow in the exec.c:hashcmd() function. A local attacker could exploit this to cause a denial of service. CVE-2018-1071 SUSE Linux Enterprise Desktop 12 SP3:zsh-5.0.5-6.7.2 SUSE Linux Enterprise Server 12 SP3:zsh-5.0.5-6.7.2 SUSE Linux Enterprise Server for SAP Applications 12 SP3:zsh-5.0.5-6.7.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20181072-1/ https://www.suse.com/security/cve/CVE-2018-1071.html CVE-2018-1071 https://bugzilla.suse.com/1084656 SUSE Bug 1084656 https://bugzilla.suse.com/1200039 SUSE Bug 1200039 Zsh before version 5.4.2-test-1 is vulnerable to a buffer overflow in the shell autocomplete functionality. A local unprivileged user can create a specially crafted directory path which leads to code execution in the context of the user who tries to use autocomplete to traverse the before mentioned path. If the user affected is privileged, this leads to privilege escalation. CVE-2018-1083 SUSE Linux Enterprise Desktop 12 SP3:zsh-5.0.5-6.7.2 SUSE Linux Enterprise Server 12 SP3:zsh-5.0.5-6.7.2 SUSE Linux Enterprise Server for SAP Applications 12 SP3:zsh-5.0.5-6.7.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20181072-1/ https://www.suse.com/security/cve/CVE-2018-1083.html CVE-2018-1083 https://bugzilla.suse.com/1087026 SUSE Bug 1087026 https://bugzilla.suse.com/1189668 SUSE Bug 1189668 https://bugzilla.suse.com/1200209 SUSE Bug 1200209 In params.c in zsh through 5.4.2, there is a crash during a copy of an empty hash table, as demonstrated by typeset -p. CVE-2018-7549 SUSE Linux Enterprise Desktop 12 SP3:zsh-5.0.5-6.7.2 SUSE Linux Enterprise Server 12 SP3:zsh-5.0.5-6.7.2 SUSE Linux Enterprise Server for SAP Applications 12 SP3:zsh-5.0.5-6.7.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20181072-1/ https://www.suse.com/security/cve/CVE-2018-7549.html CVE-2018-7549 https://bugzilla.suse.com/1082991 SUSE Bug 1082991 https://bugzilla.suse.com/1200039 SUSE Bug 1200039