diff options
Diffstat (limited to 'main/zsh/CVE-2018-1083.patch')
-rw-r--r-- | main/zsh/CVE-2018-1083.patch | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/main/zsh/CVE-2018-1083.patch b/main/zsh/CVE-2018-1083.patch new file mode 100644 index 00000000000..104ba1fc583 --- /dev/null +++ b/main/zsh/CVE-2018-1083.patch @@ -0,0 +1,36 @@ +From 259ac472eac291c8c103c7a0d8a4eaf3c2942ed7 Mon Sep 17 00:00:00 2001 +From: Oliver Kiddle <okiddle@yahoo.co.uk> +Date: Sat, 24 Mar 2018 15:04:39 +0100 +Subject: [PATCH] 42519, CVE-2018-1083: check bounds on PATH_MAX-sized buffer + used for file completion candidates + +diff --git a/Src/Zle/compctl.c b/Src/Zle/compctl.c +index e9d165780..87d13afc1 100644 +--- a/Src/Zle/compctl.c ++++ b/Src/Zle/compctl.c +@@ -2176,6 +2176,8 @@ gen_matches_files(int dirs, int execs, int all) + if (prpre && *prpre) { + pathpref = dupstring(prpre); + unmetafy(pathpref, &pathpreflen); ++ if (pathpreflen > PATH_MAX) ++ return; + /* system needs NULL termination, not provided by unmetafy */ + pathpref[pathpreflen] = '\0'; + } else { +@@ -2218,6 +2220,8 @@ gen_matches_files(int dirs, int execs, int all) + * the path buffer by appending the filename. */ + ums = dupstring(n); + unmetafy(ums, ¨en); ++ if (umlen + pathpreflen + 1 > PATH_MAX) ++ continue; + memcpy(q, ums, umlen); + q[umlen] = '\0'; + /* And do the stat. */ +@@ -2232,6 +2236,8 @@ gen_matches_files(int dirs, int execs, int all) + /* We have to test for a path suffix. */ + int o = strlen(p), tt; + ++ if (o + strlen(psuf) > PATH_MAX) ++ continue; + /* Append it to the path buffer. */ + strcpy(p + o, psuf); |