diff -Nru zsh-5.1.1/debian/changelog zsh-5.1.1/debian/changelog --- zsh-5.1.1/debian/changelog 2018-03-07 13:54:39.000000000 +0000 +++ zsh-5.1.1/debian/changelog 2018-03-26 17:17:22.000000000 +0000 @@ -1,3 +1,16 @@ +zsh (5.1.1-1ubuntu2.2) xenial-security; urgency=medium + + * SECURITY UPDATE: stack-based buffer overflow + - debian/patches/CVE-2018-1071.patch: check bounds when + copying patch in hashcmd() in Src/exec.c, Src/utils.c. + - CVE-2018-1071 + * SECURITY UPDATE: buffer-overflow + - debian/patches/CVE-2018-1083.patch: check bounds on PATH_MAX + buffer in Src/Zle/compctl.c. + - CVE-2018-1083 + + -- Leonidas S. Barbosa Mon, 26 Mar 2018 14:16:59 -0300 + zsh (5.1.1-1ubuntu2.1) xenial-security; urgency=medium * SECURITY UPDATE: undersized buffer diff -Nru zsh-5.1.1/debian/patches/CVE-2018-1071.patch zsh-5.1.1/debian/patches/CVE-2018-1071.patch --- zsh-5.1.1/debian/patches/CVE-2018-1071.patch 1970-01-01 00:00:00.000000000 +0000 +++ zsh-5.1.1/debian/patches/CVE-2018-1071.patch 2018-03-26 17:16:41.000000000 +0000 @@ -0,0 +1,38 @@ +Backported of: + +From 679b71ec4d852037fe5f73d35bf557b0f406c8d4 Mon Sep 17 00:00:00 2001 +From: Oliver Kiddle +Date: Sat, 24 Mar 2018 15:02:41 +0100 +Subject: [PATCH] 42518, CVE-2018-1071: check bounds when copying path in + hashcmd() +diff --git a/Src/exec.c b/Src/exec.c +index 8ce7bc0..d512651 100644 +--- a/Src/exec.c ++++ b/Src/exec.c +@@ -870,7 +870,7 @@ hashcmd(char *arg0, char **pp) + for (; *pp; pp++) + if (**pp == '/') { + s = buf; +- strucpy(&s, *pp); ++ struncpy(&s, *pp, PATH_MAX); + *s++ = '/'; + if ((s - buf) + strlen(arg0) >= PATH_MAX) + continue; +diff --git a/Src/utils.c b/Src/utils.c +index 86f0f99..81d6688 100644 +--- a/Src/utils.c ++++ b/Src/utils.c +@@ -2096,10 +2096,10 @@ struncpy(char **s, char *t, int n) + { + char *u = *s; + +- while (n--) +- *u++ = *t++; ++ while (n-- && (*u++ = *t++)); + *s = u; +- *u = '\0'; ++ if (n > 0) /* just one null-byte will do, unlike strncpy(3) */ ++ *u = '\0'; + } + + /* Return the number of elements in an array of pointers. * diff -Nru zsh-5.1.1/debian/patches/CVE-2018-1083.patch zsh-5.1.1/debian/patches/CVE-2018-1083.patch --- zsh-5.1.1/debian/patches/CVE-2018-1083.patch 1970-01-01 00:00:00.000000000 +0000 +++ zsh-5.1.1/debian/patches/CVE-2018-1083.patch 2018-03-26 17:16:48.000000000 +0000 @@ -0,0 +1,38 @@ +Backported of: + +From 259ac472eac291c8c103c7a0d8a4eaf3c2942ed7 Mon Sep 17 00:00:00 2001 +From: Oliver Kiddle +Date: Sat, 24 Mar 2018 15:04:39 +0100 +Subject: [PATCH] 42519, CVE-2018-1083: check bounds on PATH_MAX-sized buffer + used for file completion candidates +diff --git a/Src/Zle/compctl.c b/Src/Zle/compctl.c +index 22aa6cd..67c76b4 100644 +--- a/Src/Zle/compctl.c ++++ b/Src/Zle/compctl.c +@@ -2156,6 +2156,8 @@ gen_matches_files(int dirs, int execs, int all) + if (prpre && *prpre) { + pathpref = dupstring(prpre); + unmetafy(pathpref, &pathpreflen); ++ if (pathpreflen > PATH_MAX) ++ return; + /* system needs NULL termination, not provided by unmetafy */ + pathpref[pathpreflen] = '\0'; + } else { +@@ -2198,6 +2200,8 @@ gen_matches_files(int dirs, int execs, int all) + * the path buffer by appending the filename. */ + ums = dupstring(n); + unmetafy(ums, ¨en); ++ if (umlen + pathpreflen + 1 > PATH_MAX) ++ continue; + memcpy(q, ums, umlen); + q[umlen] = '\0'; + /* And do the stat. */ +@@ -2212,6 +2216,8 @@ gen_matches_files(int dirs, int execs, int all) + /* We have to test for a path suffix. */ + int o = strlen(p), tt; + ++ if (o + strlen(psuf) > PATH_MAX) ++ continue; + /* Append it to the path buffer. */ + strcpy(p + o, psuf); + diff -Nru zsh-5.1.1/debian/patches/series zsh-5.1.1/debian/patches/series --- zsh-5.1.1/debian/patches/series 2018-03-07 13:54:18.000000000 +0000 +++ zsh-5.1.1/debian/patches/series 2018-03-26 17:16:48.000000000 +0000 @@ -5,3 +5,5 @@ CVE-2017-18205.patch CVE-2017-18206.patch CVE-2018-7549.patch +CVE-2018-1071.patch +CVE-2018-1083.patch