diff options
| author |   Repository mirror & CI <repomirrorci@gentoo.org> | 2019-03-10 02:26:26 +0000 |
|---|---|---|
| committer | Repository mirror & CI <repomirrorci@gentoo.org> | 2019-03-10 02:26:26 +0000 |
| commit | 2b957ed8e7f95b2059c99e3e1f0970154912e06a (patch) | |
| tree | d264ee222bda4788537d7816a6cff5ba1e2c62dc /metadata/glsa/glsa-201903-02.xml | |
| parent | Merge updates from master (diff) | |
| parent | [ GLSA 201903-02 ] Zsh: User-assisted execution of arbitrary code (diff) | |
| download | gentoo-2b957ed8e7f95b2059c99e3e1f0970154912e06a.tar.gz gentoo-2b957ed8e7f95b2059c99e3e1f0970154912e06a.tar.bz2 gentoo-2b957ed8e7f95b2059c99e3e1f0970154912e06a.zip | |
Merge commit '74994cee1b78a5fa9235ed3f30fdeb684e1527a1'
Diffstat (limited to 'metadata/glsa/glsa-201903-02.xml')
| -rw-r--r-- | metadata/glsa/glsa-201903-02.xml | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/metadata/glsa/glsa-201903-02.xml b/metadata/glsa/glsa-201903-02.xml new file mode 100644 index 000000000000..11ae0246fe90 --- /dev/null +++ b/metadata/glsa/glsa-201903-02.xml @@ -0,0 +1,62 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201903-02"> + <title>Zsh: User-assisted execution of arbitrary code</title> + <synopsis>Input validation errors in Zsh could result in arbitrary code + execution. + </synopsis> + <product type="ebuild">zsh</product> + <announced>2019-03-10</announced> + <revised count="1">2019-03-10</revised> + <bug>665278</bug> + <access>local, remote</access> + <affected> + <package name="app-shells/zsh" auto="yes" arch="*"> + <unaffected range="ge">5.6</unaffected> + <vulnerable range="lt">5.6</vulnerable> + </package> + </affected> + <background> + <p>A shell designed for interactive use, although it is also a powerful + scripting language. + </p> + </background> + <description> + <p>Two input validation errors have been discovered in how Zsh parses + scripts: + </p> + + <ul> + <li>Parsing a malformed shebang line could cause Zsh to call a program + listed in the second line (CVE-2018-0502) + </li> + <li>Shebang lines longer than 64 characters are truncated + (CVE-2018-13259) + </li> + </ul> + </description> + <impact type="normal"> + <p>An attacker could entice a user to execute a specially crafted script + using Zsh, possibly resulting in execution of arbitrary code with the + privileges of the process. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Zsh users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-shells/zsh-5.6" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-0502">CVE-2018-0502</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-13259">CVE-2018-13259</uri> + </references> + <metadata tag="requester" timestamp="2018-12-31T07:32:39Z">Zlogene</metadata> + <metadata tag="submitter" timestamp="2019-03-10T02:21:31Z">ackle</metadata> +</glsa> |