[ GLSA 201903-02 ] Zsh: User-assisted execution of arbitrary code


–H1spWtNR+x+ondvy

Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Gentoo Linux Security Advisory GLSA 201903-02
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
https://security.gentoo.org/
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Severity: Normal
Title: Zsh: User-assisted execution of arbitrary code
Date: March 10, 2019
Bugs: #665278
ID: 201903-02

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Synopsis

Input validation errors in Zsh could result in arbitrary code
execution.

Background

A shell designed for interactive use, although it is also a powerful
scripting language.

Affected packages

——————————————————————-
Package / Vulnerable / Unaffected
——————————————————————-
1 app-shells/zsh 5.6=20

Description

Two input validation errors have been discovered in how Zsh parses
scripts:

* Parsing a malformed shebang line could cause Zsh to call a program
listed in the second line (CVE-2018-0502)
* Shebang lines longer than 64 characters are truncated
(CVE-2018-13259)

Impact

An attacker could entice a user to execute a specially crafted script
using Zsh, possibly resulting in execution of arbitrary code with the
privileges of the process.

Workaround

There is no known workaround at this time.

Resolution

All Zsh users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>app-shells/zsh-5.6”

References

[ 1 ] CVE-2018-0502
https://nvd.nist.gov/vuln/detail/CVE-2018-0502
[ 2 ] CVE-2018-13259
https://nvd.nist.gov/vuln/detail/CVE-2018-13259

Availability

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201903-02

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users’ machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License

Copyright 2019 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons – Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

–H1spWtNR+x+ondvy

—–BEGIN PGP SIGNATURE—–

iQEzBAABCAAdFiEEiDRK3jyVBE/RkymqpRQw84X1dt0FAlyEdOcACgkQpRQw84X1
dt3LswgAi/KalAt87RTq/2fre+lcRw+vDIVgdHZPbr93QM+ofZ+JNQlmO9a9+FvT
/4eS77PO/rFCXWH0xS5UYE/cJXYonrjZ8pSuhieajBpeIy/vo21T1pOHc24HKm2C
ibZePZyk0JWiOs2rYBxa3/HOiX1elpfokRZ9qJbrtR8Yse8YDm8HGHB7pOn7jCsP
gqAfNovEIPPCfCsK5BXVX0wLRp80cdZXcEZGLmtRbOadJpJSEYnJhNmjlrAReNPf
fowgihPH+2OAy6ZQr7sh8Jw2Wc4zMU8TkFwcF+n6vLQpkbLdnhD5llvhiFTt5NQc
Nt1Rll8PMIjF8Iifnq1IEGq5uXz1nA==
=9HU9
—–END PGP SIGNATURE—–

–H1spWtNR+x+ondvy–