From 6c6b294b3615b7956885de09d3d094dad970b4a4 Mon Sep 17 00:00:00 2001 From: Jakub Jirutka Date: Sat, 31 Mar 2018 15:50:29 +0000 Subject: main/zsh: fix CVE-2018-1071, CVE-2018-1083 --- main/zsh/APKBUILD | 26 ++++++++++++++++++++------ main/zsh/CVE-2018-1071.patch | 37 +++++++++++++++++++++++++++++++++++++ main/zsh/CVE-2018-1083.patch | 36 ++++++++++++++++++++++++++++++++++++ 3 files changed, 93 insertions(+), 6 deletions(-) create mode 100644 main/zsh/CVE-2018-1071.patch create mode 100644 main/zsh/CVE-2018-1083.patch diff --git a/main/zsh/APKBUILD b/main/zsh/APKBUILD index 760c1263c02..fded886cde2 100644 --- a/main/zsh/APKBUILD +++ b/main/zsh/APKBUILD @@ -1,8 +1,14 @@ # Contributor: # Maintainer: Natanael Copa +# +# secfixes: +# 5.2-r2: +# - CVE-2018-1083 +# - CVE-2018-1071 +# pkgname=zsh pkgver=5.2 -pkgrel=1 +pkgrel=2 pkgdesc="A very advanced and programmable command interpreter (shell)" url="http://www.zsh.org/" arch="all" @@ -10,9 +16,11 @@ license="BSD" depends= makedepends=ncurses-dev install="zsh.post-install zsh.post-upgrade zsh.pre-deinstall" -source="http://www.zsh.org/pub/$pkgname-$pkgver.tar.xz +source="http://www.zsh.org/pub/old/$pkgname-$pkgver.tar.xz zprofile - fix-zle-segfault.patch" + fix-zle-segfault.patch + CVE-2018-1071.patch + CVE-2018-1083.patch" subpackages="$pkgname-doc" _builddir="$srcdir"/$pkgname-$pkgver @@ -53,10 +61,16 @@ package() { } md5sums="afe96fde08b70e23c1cab1ca7a68fb34 zsh-5.2.tar.xz a5e93cd6880da04a63fc4fcaaa03987f zprofile -1413688affa980b053dd2cdc784f8626 fix-zle-segfault.patch" +1413688affa980b053dd2cdc784f8626 fix-zle-segfault.patch +bd6114acb5c860221caa33474f39ca8b CVE-2018-1071.patch +d19a32cdbbd7552df2b25c41dc1c0f4c CVE-2018-1083.patch" sha256sums="f17916320ffaa844bbd7ce48ceeb5945fc5f3eff64b149b4229bbfbdf3795a9d zsh-5.2.tar.xz e3c3625d966c8277274798f26241857df5fc520e18674deba6cc356f6b022d63 zprofile -7b8bfec6f7c0df6954eb27a000ff1d077e37a1ec9fd9f37c247a53922cf0c9be fix-zle-segfault.patch" +7b8bfec6f7c0df6954eb27a000ff1d077e37a1ec9fd9f37c247a53922cf0c9be fix-zle-segfault.patch +06ef561b4d1f174625971643ea54cbf75335fe456110f8a26b764b78b37285e9 CVE-2018-1071.patch +d53d8db4abf80e262ae48da56cd103881521e94fa25bac5573617cbbed06e76c CVE-2018-1083.patch" sha512sums="9938af95e09203a0a313f441e0c23279136806f6f087475ca9a66c678c57ecffc87f73ece8133a36700af8de7cb5d1bec8559eabdec2b66102062e64026c2e72 zsh-5.2.tar.xz 59182b99447872ded8adf0d890e9359ee47fce0b7acb2808f4308f945885fbf6d977a0917bbb5c0f21454caf3ba06ab092127732da4f84292d6ab0989a0110fe zprofile -f17016b4cb95932caabdfca273696f4a444f1e45c8e7d458db54ae12542fce87bdd6fc6c4cd070948041f50760389179c69c12296665b7b9651007faafbdbee7 fix-zle-segfault.patch" +f17016b4cb95932caabdfca273696f4a444f1e45c8e7d458db54ae12542fce87bdd6fc6c4cd070948041f50760389179c69c12296665b7b9651007faafbdbee7 fix-zle-segfault.patch +9e645c31ace8e255a3859fe732572be7e4f7bde025c17f0cc4cdfedfc5ffb30b42e5051162efcb2f58bb89e92701dab0528fa3157faf2445aca3cec3d85e1da8 CVE-2018-1071.patch +4e4c3c67c4ce73607d735e99884ca2ef833f4f8859f30882b69bf6e785f99a4637c0650f6a8d474e0f3d86f7400499557a04c327990ef999c1aedca598e13848 CVE-2018-1083.patch" diff --git a/main/zsh/CVE-2018-1071.patch b/main/zsh/CVE-2018-1071.patch new file mode 100644 index 00000000000..8cb7fb2a54d --- /dev/null +++ b/main/zsh/CVE-2018-1071.patch @@ -0,0 +1,37 @@ +From 679b71ec4d852037fe5f73d35bf557b0f406c8d4 Mon Sep 17 00:00:00 2001 +From: Oliver Kiddle +Date: Sat, 24 Mar 2018 15:02:41 +0100 +Subject: [PATCH] 42518, CVE-2018-1071: check bounds when copying path in + hashcmd() + +diff --git a/Src/exec.c b/Src/exec.c +index 35b0bb191..e154d1249 100644 +--- a/Src/exec.c ++++ b/Src/exec.c +@@ -920,7 +920,7 @@ hashcmd(char *arg0, char **pp) + for (; *pp; pp++) + if (**pp == '/') { + s = buf; +- strucpy(&s, *pp); ++ struncpy(&s, *pp, PATH_MAX); + *s++ = '/'; + if ((s - buf) + strlen(arg0) >= PATH_MAX) + continue; +diff --git a/Src/utils.c b/Src/utils.c +index 3b589aa35..998b16220 100644 +--- a/Src/utils.c ++++ b/Src/utils.c +@@ -2283,10 +2283,10 @@ struncpy(char **s, char *t, int n) + { + char *u = *s; + +- while (n--) +- *u++ = *t++; ++ while (n-- && (*u++ = *t++)); + *s = u; +- *u = '\0'; ++ if (n > 0) /* just one null-byte will do, unlike strncpy(3) */ ++ *u = '\0'; + } + + /* Return the number of elements in an array of pointers. * diff --git a/main/zsh/CVE-2018-1083.patch b/main/zsh/CVE-2018-1083.patch new file mode 100644 index 00000000000..104ba1fc583 --- /dev/null +++ b/main/zsh/CVE-2018-1083.patch @@ -0,0 +1,36 @@ +From 259ac472eac291c8c103c7a0d8a4eaf3c2942ed7 Mon Sep 17 00:00:00 2001 +From: Oliver Kiddle +Date: Sat, 24 Mar 2018 15:04:39 +0100 +Subject: [PATCH] 42519, CVE-2018-1083: check bounds on PATH_MAX-sized buffer + used for file completion candidates + +diff --git a/Src/Zle/compctl.c b/Src/Zle/compctl.c +index e9d165780..87d13afc1 100644 +--- a/Src/Zle/compctl.c ++++ b/Src/Zle/compctl.c +@@ -2176,6 +2176,8 @@ gen_matches_files(int dirs, int execs, int all) + if (prpre && *prpre) { + pathpref = dupstring(prpre); + unmetafy(pathpref, &pathpreflen); ++ if (pathpreflen > PATH_MAX) ++ return; + /* system needs NULL termination, not provided by unmetafy */ + pathpref[pathpreflen] = '\0'; + } else { +@@ -2218,6 +2220,8 @@ gen_matches_files(int dirs, int execs, int all) + * the path buffer by appending the filename. */ + ums = dupstring(n); + unmetafy(ums, ¨en); ++ if (umlen + pathpreflen + 1 > PATH_MAX) ++ continue; + memcpy(q, ums, umlen); + q[umlen] = '\0'; + /* And do the stat. */ +@@ -2232,6 +2236,8 @@ gen_matches_files(int dirs, int execs, int all) + /* We have to test for a path suffix. */ + int o = strlen(p), tt; + ++ if (o + strlen(psuf) > PATH_MAX) ++ continue; + /* Append it to the path buffer. */ + strcpy(p + o, psuf); -- cgit v1.2.3