[Pkg-zsh-commits] [zsh] 01/02: Cherry-pick upstream patches to fix CVE-2018-1071 + CVE-2018-1083
Axel Beckert
abe at deuxchevaux.org
Wed Apr 4 23:44:17 UTC 2018
This is an automated email from the git hooks/post-receive script.
abe pushed a commit to branch debian
in repository zsh.
commit d49689fe447363cdb431d50e18cd71f557afc4d6
Author: Axel Beckert <abe at deuxchevaux.org>
Date: Thu Apr 5 01:19:04 2018 +0200
Cherry-pick upstream patches to fix CVE-2018-1071 + CVE-2018-1083
* CVE-2018-1071 (Check bounds when copying path in "hashcmd()".
Closes: #894044)
* CVE-2018-1083 (Check bounds on PATH_MAX-sized buffer used for file
completion candidates. Closes: #894043)
Gbp-Dch: Full
---
debian/patches/CVE-2018-1071.patch | 34 ++++++++++++++++++++++++++++++++++
debian/patches/CVE-2018-1083.patch | 37 +++++++++++++++++++++++++++++++++++++
debian/patches/series | 2 ++
3 files changed, 73 insertions(+)
diff --git a/debian/patches/CVE-2018-1071.patch b/debian/patches/CVE-2018-1071.patch
new file mode 100644
index 0000000..89ca585
--- /dev/null
+++ b/debian/patches/CVE-2018-1071.patch
@@ -0,0 +1,34 @@
+Description: CVE-2018-1071
+ Check bounds when copying path in hashcmd().
+Origin: 679b71ec4d852037fe5f73d35bf557b0f406c8d4
+Author: Oliver Kiddle <okiddle at yahoo.co.uk>
+Bug-Debian: https://bugs.debian.org/894043
+Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1083
+
+--- a/Src/exec.c
++++ b/Src/exec.c
+@@ -920,7 +920,7 @@
+ for (; *pp; pp++)
+ if (**pp == '/') {
+ s = buf;
+- strucpy(&s, *pp);
++ struncpy(&s, *pp, PATH_MAX);
+ *s++ = '/';
+ if ((s - buf) + strlen(arg0) >= PATH_MAX)
+ continue;
+--- a/Src/utils.c
++++ b/Src/utils.c
+@@ -2283,10 +2283,10 @@
+ {
+ char *u = *s;
+
+- while (n--)
+- *u++ = *t++;
++ while (n-- && (*u++ = *t++));
+ *s = u;
+- *u = '\0';
++ if (n > 0) /* just one null-byte will do, unlike strncpy(3) */
++ *u = '\0';
+ }
+
+ /* Return the number of elements in an array of pointers. *
diff --git a/debian/patches/CVE-2018-1083.patch b/debian/patches/CVE-2018-1083.patch
new file mode 100644
index 0000000..3e30c3c
--- /dev/null
+++ b/debian/patches/CVE-2018-1083.patch
@@ -0,0 +1,37 @@
+Description: CVE-2018-1083
+ Check bounds on PATH_MAX-sized buffer used for file completion
+ candidates.
+Origin: 259ac472eac291c8c103c7a0d8a4eaf3c2942ed7
+Author: Oliver Kiddle <okiddle at yahoo.co.uk>
+Bug-Debian: https://bugs.debian.org/894043
+Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1083
+
+--- a/Src/Zle/compctl.c
++++ b/Src/Zle/compctl.c
+@@ -2176,6 +2176,8 @@ gen_matches_files(int dirs, int execs, int all)
+ if (prpre && *prpre) {
+ pathpref = dupstring(prpre);
+ unmetafy(pathpref, &pathpreflen);
++ if (pathpreflen > PATH_MAX)
++ return;
+ /* system needs NULL termination, not provided by unmetafy */
+ pathpref[pathpreflen] = '\0';
+ } else {
+@@ -2218,6 +2220,8 @@ gen_matches_files(int dirs, int execs, int all)
+ * the path buffer by appending the filename. */
+ ums = dupstring(n);
+ unmetafy(ums, ¨en);
++ if (umlen + pathpreflen + 1 > PATH_MAX)
++ continue;
+ memcpy(q, ums, umlen);
+ q[umlen] = '\0';
+ /* And do the stat. */
+@@ -2232,6 +2236,8 @@ gen_matches_files(int dirs, int execs, int all)
+ /* We have to test for a path suffix. */
+ int o = strlen(p), tt;
+
++ if (o + strlen(psuf) > PATH_MAX)
++ continue;
+ /* Append it to the path buffer. */
+ strcpy(p + o, psuf);
+
diff --git a/debian/patches/series b/debian/patches/series
index cb6fdac..d05bc62 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,4 @@
further-mitigate-test-suite-hangs.patch
update-debian-sections.patch
+CVE-2018-1071.patch
+CVE-2018-1083.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/zsh.git
More information about the Pkg-zsh-commits
mailing list