ID CVE-2018-1100
Summary zsh through version 5.4.2 is vulnerable to a stack-based buffer overflow in the utils.c:checkmailpath function. A local attacker could exploit this to execute arbitrary code in the context of another user.
References
Vulnerable Configurations
  • cpe:2.3:a:zsh:zsh:5.4.2
    cpe:2.3:a:zsh:zsh:5.4.2
  • Canonical Ubuntu Linux 14.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:14.04:-:-:-:lts
  • Canonical Ubuntu Linux 16.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:16.04:-:-:-:lts
  • Canonical Ubuntu Linux 18.04 LTS Edition
    cpe:2.3:o:canonical:ubuntu_linux:18.04:-:-:-:lts
  • Red Hat Enterprise Linux Desktop 6.0
    cpe:2.3:o:redhat:enterprise_linux_desktop:6.0
  • RedHat Enterprise Linux Desktop 7.0
    cpe:2.3:o:redhat:enterprise_linux_desktop:7.0
  • Red Hat Enterprise Linux Server 6.0
    cpe:2.3:o:redhat:enterprise_linux_server:6.0
  • RedHat Enterprise Linux Server 7.0
    cpe:2.3:o:redhat:enterprise_linux_server:7.0
  • Red Hat Enterprise Linux Workstation 6.0
    cpe:2.3:o:redhat:enterprise_linux_workstation:6.0
  • RedHat Enterprise Linux Workstation 7.0
    cpe:2.3:o:redhat:enterprise_linux_workstation:7.0
CVSS
Base: 7.2
Impact:
Exploitability:
CWE CWE-119
CAPEC
  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
  • Overflow Binary Resource File
    An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process. This attack pattern is a variant of standard buffer overflow attacks using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The attacker is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application, for the victim to download. The attacker then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Overflow Variables and Tags
    This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
  • Buffer Overflow in an API Call
    This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
  • Buffer Overflow in Local Command-Line Utilities
    This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.
nessus via4
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2018-2_0-0050_ZSH.NASL
    description An update of the zsh package has been released.
    last seen 2019-02-08
    modified 2019-02-07
    plugin id 121951
    published 2019-02-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121951
    title Photon OS 2.0: Zsh PHSA-2018-2.0-0050
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20180619_ZSH_ON_SL6_X.NASL
    description Security Fix(es) : - zsh: Stack-based buffer overflow in gen_matches_files() at compctl.c (CVE-2018-1083) - zsh: buffer overflow when scanning very long directory paths for symbolic links (CVE-2014-10072) - zsh: buffer overrun in symlinks (CVE-2017-18206) - zsh: buffer overflow in utils.c:checkmailpath() can lead to local arbitrary code execution (CVE-2018-1100)
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 110893
    published 2018-07-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110893
    title Scientific Linux Security Update : zsh on SL6.x i386/x86_64
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2018-1932.NASL
    description From Red Hat Security Advisory 2018:1932 : An update for zsh is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The zsh shell is a command interpreter usable as an interactive login shell and as a shell script command processor. Zsh resembles the ksh shell (the Korn shell), but includes many enhancements. Zsh supports command-line editing, built-in spelling correction, programmable command completion, shell functions (with autoloading), a history mechanism, and more. Security Fix(es) : * zsh: Stack-based buffer overflow in gen_matches_files() at compctl.c (CVE-2018-1083) * zsh: buffer overflow when scanning very long directory paths for symbolic links (CVE-2014-10072) * zsh: buffer overrun in symlinks (CVE-2017-18206) * zsh: buffer overflow in utils.c:checkmailpath() can lead to local arbitrary code execution (CVE-2018-1100) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. The CVE-2018-1083 and CVE-2018-1100 issues were discovered by Richard Maciel Costa (Red Hat). Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 6.10 Release Notes and Red Hat Enterprise Linux 6.10 Technical Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-06-27
    plugin id 110707
    published 2018-06-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110707
    title Oracle Linux 6 : zsh (ELSA-2018-1932)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-AC1D9C2777.NASL
    description - fix stack-based buffer overflow in utils.c:checkmailpath() (CVE-2018-1100) - fix stack-based buffer overflow in gen_matches_files() (CVE-2018-1083) - fix stack-based buffer overflow in exec.c:hashcmd() (CVE-2018-1071) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-09-05
    plugin id 109591
    published 2018-05-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109591
    title Fedora 27 : zsh (2018-ac1d9c2777)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2018-1396.NASL
    description According to the versions of the zsh package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - zsh: buffer overflow for very long fds in >& fd syntax (CVE-2014-10071) - zsh: buffer overflow when scanning very long directory paths for symbolic links (CVE-2014-10072) - zsh: NULL dereference in cd in sh compatibility mode under given circumstances (CVE-2017-18205) - zsh: buffer overrun in symlinks (CVE-2017-18206) - zsh: Stack-based buffer overflow in exec.c:hashcmd() (CVE-2018-1071) - zsh: buffer overflow in utils.c:checkmailpath() can lead to local arbitrary code execution (CVE-2018-1100) - zsh: crash on copying empty hash table (CVE-2018-7549) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-10
    plugin id 119524
    published 2018-12-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119524
    title EulerOS 2.0 SP3 : zsh (EulerOS-SA-2018-1396)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20181030_ZSH_ON_SL7_X.NASL
    description Security Fix(es) : - zsh: Stack-based buffer overflow in gen_matches_files() at compctl.c (CVE-2018-1083) - zsh: buffer overflow for very long fds in >& fd syntax (CVE-2014-10071) - zsh: buffer overflow when scanning very long directory paths for symbolic links (CVE-2014-10072) - zsh: NULL dereference in cd in sh compatibility mode under given circumstances (CVE-2017-18205) - zsh: buffer overrun in symlinks (CVE-2017-18206) - zsh: Stack-based buffer overflow in exec.c:hashcmd() (CVE-2018-1071) - zsh: buffer overflow in utils.c:checkmailpath() can lead to local arbitrary code execution (CVE-2018-1100) - zsh: crash on copying empty hash table (CVE-2018-7549)
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 119204
    published 2018-11-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119204
    title Scientific Linux Security Update : zsh on SL7.x x86_64
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-699.NASL
    description This update for zsh to version 5.5 fixes the following issues : Security issues fixed : - CVE-2018-1100: Fixes a buffer overflow in utils.c:checkmailpath() that can lead to local arbitrary code execution (bsc#1089030) - CVE-2018-1071: Fixed a stack-based buffer overflow in exec.c:hashcmd() (bsc#1084656) - CVE-2018-1083: Fixed a stack-based buffer overflow in gen_matches_files() at compctl.c (bsc#1087026) Non-security issues fixed : - The effect of the NO_INTERACTIVE_COMMENTS option extends into $(...) and `...` command substitutions when used on the command line. - The 'exec' and 'command' precommand modifiers, and options to them, are now parsed after parameter expansion. - Functions executed by ZLE widgets no longer have their standard input closed, but redirected from /dev/null instead. - There is an option WARN_NESTED_VAR, a companion to the existing WARN_CREATE_GLOBAL that causes a warning if a function updates a variable from an enclosing scope without using typeset -g. - zmodload now has an option -s to be silent on a failure to find a module but still print other errors. This update was imported from the SUSE:SLE-15:Update update project.
    last seen 2019-02-21
    modified 2018-09-04
    plugin id 110957
    published 2018-07-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110957
    title openSUSE Security Update : zsh (openSUSE-2018-699)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2018-3073.NASL
    description An update for zsh is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The zsh shell is a command interpreter usable as an interactive login shell and as a shell script command processor. Zsh resembles the ksh shell (the Korn shell), but includes many enhancements. Zsh supports command-line editing, built-in spelling correction, programmable command completion, shell functions (with autoloading), a history mechanism, and more. Security Fix(es) : * zsh: Stack-based buffer overflow in gen_matches_files() at compctl.c (CVE-2018-1083) * zsh: buffer overflow for very long fds in >& fd syntax (CVE-2014-10071) * zsh: buffer overflow when scanning very long directory paths for symbolic links (CVE-2014-10072) * zsh: NULL dereference in cd in sh compatibility mode under given circumstances (CVE-2017-18205) * zsh: buffer overrun in symlinks (CVE-2017-18206) * zsh: Stack-based buffer overflow in exec.c:hashcmd() (CVE-2018-1071) * zsh: buffer overflow in utils.c:checkmailpath() can lead to local arbitrary code execution (CVE-2018-1100) * zsh: crash on copying empty hash table (CVE-2018-7549) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. The CVE-2018-1083, CVE-2018-1071, and CVE-2018-1100 issues were discovered by Richard Maciel Costa (Red Hat). Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 118989
    published 2018-11-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118989
    title CentOS 7 : zsh (CESA-2018:3073)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3764-1.NASL
    description It was discovered that Zsh incorrectly handled certain scripts. An attacker could possibly use this issue to execute arbitrary code. (CVE-2018-0502, CVE-2018-13259) Richard Maciel Costa discovered that Zsh incorrectly handled certain scripts. An attacker could possibly use this issue to execute arbitrary code. (CVE-2018-1100). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 117456
    published 2018-09-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117456
    title Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : zsh vulnerabilities (USN-3764-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-A5E9A619F6.NASL
    description update to latest upstream release, which fixes the following vulnerabilities : - CVE-2018-1100 - stack-based buffer overflow in utils.c:checkmailpath() - CVE-2018-1083 - stack-based buffer overflow in compctl.c:gen_matches_files() - CVE-2018-1071 - stack-based buffer overflow in exec.c:hashcmd() Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-03
    plugin id 120679
    published 2019-01-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=120679
    title Fedora 28 : zsh (2018-a5e9a619f6)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-1874-1.NASL
    description This update for zsh to version 5.5 fixes the following issues: Security issues fixed : - CVE-2018-1100: Fixes a buffer overflow in utils.c:checkmailpath() that can lead to local arbitrary code execution (bsc#1089030) - CVE-2018-1071: Fixed a stack-based buffer overflow in exec.c:hashcmd() (bsc#1084656) - CVE-2018-1083: Fixed a stack-based buffer overflow in gen_matches_files() at compctl.c (bsc#1087026) Non-security issues fixed : - The effect of the NO_INTERACTIVE_COMMENTS option extends into $(...) and `...` command substitutions when used on the command line. - The 'exec' and 'command' precommand modifiers, and options to them, are now parsed after parameter expansion. - Functions executed by ZLE widgets no longer have their standard input closed, but redirected from /dev/null instead. - There is an option WARN_NESTED_VAR, a companion to the existing WARN_CREATE_GLOBAL that causes a warning if a function updates a variable from an enclosing scope without using typeset -g. - zmodload now has an option -s to be silent on a failure to find a module but still print other errors. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 120028
    published 2019-01-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=120028
    title SUSE SLED15 / SLES15 Security Update : zsh (SUSE-SU-2018:1874-1)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2018-1107.NASL
    description A buffer overflow flaw was found in the zsh shell symbolic link resolver. A local, unprivileged user can create a specially crafted directory path which leads to a buffer overflow in the context of the user trying to do a symbolic link resolution in the aforementioned path. If the user affected is privileged, this leads to privilege escalation.(CVE-2017-18206) A buffer overflow flaw was found in the zsh shell auto-complete functionality. A local, unprivileged user can create a specially crafted directory path which leads to code execution in the context of the user who tries to use auto-complete to traverse the before mentioned path. If the user affected is privileged, this leads to privilege escalation.(CVE-2018-1083) A NULL pointer dereference flaw was found in the code responsible for saving hashtables of the zsh package. An attacker could use this flaw to cause a denial of service by crashing the user shell.(CVE-2018-7549) A NULL pointer dereference flaw was found in the code responsible for the cd builtin command of the zsh package. An attacker could use this flaw to cause a denial of service by crashing the user shell.(CVE-2017-18205) A buffer overflow flaw was found in the zsh shell symbolic link resolver. A local, unprivileged user can create a specially crafted directory path which leads to a buffer overflow in the context of the user trying to do symbolic link resolution in the aforementioned path. An attacker could exploit this vulnerability to cause a denial of service condition on the target.(CVE-2014-10072) A buffer overflow flaw was found in the zsh shell check path functionality. A local, unprivileged user can create a specially crafted message file, which, if used to set a custom 'you have new mail' message, leads to code execution in the context of the user who receives the message. If the user affected is privileged, this leads to privilege escalation.(CVE-2018-1100) zsh through version 5.4.2 is vulnerable to a stack-based buffer overflow in the exec.c:hashcmd() function. A local attacker could exploit this to cause a denial of service.(CVE-2018-1071) A buffer overflow flaw was found in the zsh shell file descriptor redirection functionality. An attacker could use this flaw to cause a denial of service by crashing the user shell.(CVE-2014-10071)
    last seen 2019-02-21
    modified 2018-12-07
    plugin id 119466
    published 2018-12-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119466
    title Amazon Linux AMI : zsh (ALAS-2018-1107)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2018-1424.NASL
    description According to the versions of the zsh package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - zsh: buffer overflow when scanning very long directory paths for symbolic links (CVE-2014-10072) - zsh: Stack-based buffer overflow in exec.c:hashcmd() (CVE-2018-1071) - zsh: buffer overflow in utils.c:checkmailpath() can lead to local arbitrary code execution (CVE-2018-1100) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 119913
    published 2018-12-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119913
    title EulerOS 2.0 SP2 : zsh (EulerOS-SA-2018-1424)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-1037-1.NASL
    description This update for zsh fixes the following issues : - CVE-2018-1100: Fixed a buffer overflow in utils.c:checkmailpath() that could lead to local arbitrary code execution ( bsc#1089030) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 109278
    published 2018-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109278
    title SUSE SLES11 Security Update : zsh (SUSE-SU-2018:1037-1)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201805-10.NASL
    description The remote host is affected by the vulnerability described in GLSA-201805-10 (Zsh: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Zsh. Please review the CVE identifiers referenced below for details. Impact : A local attacker could execute arbitrary code, escalate privileges, or cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-06-07
    plugin id 110174
    published 2018-05-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110174
    title GLSA-201805-10 : Zsh: Multiple vulnerabilities
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2019-013-01.NASL
    description New zsh packages are available for Slackware 14.0, 14.1, and 14.2 to fix security issues.
    last seen 2019-02-21
    modified 2019-01-14
    plugin id 121145
    published 2019-01-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121145
    title Slackware 14.0 / 14.1 / 14.2 : zsh (SSA:2019-013-01)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2018-1932.NASL
    description An update for zsh is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The zsh shell is a command interpreter usable as an interactive login shell and as a shell script command processor. Zsh resembles the ksh shell (the Korn shell), but includes many enhancements. Zsh supports command-line editing, built-in spelling correction, programmable command completion, shell functions (with autoloading), a history mechanism, and more. Security Fix(es) : * zsh: Stack-based buffer overflow in gen_matches_files() at compctl.c (CVE-2018-1083) * zsh: buffer overflow when scanning very long directory paths for symbolic links (CVE-2014-10072) * zsh: buffer overrun in symlinks (CVE-2017-18206) * zsh: buffer overflow in utils.c:checkmailpath() can lead to local arbitrary code execution (CVE-2018-1100) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. The CVE-2018-1083 and CVE-2018-1100 issues were discovered by Richard Maciel Costa (Red Hat). Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 6.10 Release Notes and Red Hat Enterprise Linux 6.10 Technical Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 110652
    published 2018-06-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110652
    title CentOS 6 : zsh (CESA-2018:1932)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-1932.NASL
    description An update for zsh is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The zsh shell is a command interpreter usable as an interactive login shell and as a shell script command processor. Zsh resembles the ksh shell (the Korn shell), but includes many enhancements. Zsh supports command-line editing, built-in spelling correction, programmable command completion, shell functions (with autoloading), a history mechanism, and more. Security Fix(es) : * zsh: Stack-based buffer overflow in gen_matches_files() at compctl.c (CVE-2018-1083) * zsh: buffer overflow when scanning very long directory paths for symbolic links (CVE-2014-10072) * zsh: buffer overrun in symlinks (CVE-2017-18206) * zsh: buffer overflow in utils.c:checkmailpath() can lead to local arbitrary code execution (CVE-2018-1100) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. The CVE-2018-1083 and CVE-2018-1100 issues were discovered by Richard Maciel Costa (Red Hat). Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 6.10 Release Notes and Red Hat Enterprise Linux 6.10 Technical Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 110607
    published 2018-06-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110607
    title RHEL 6 : zsh (RHSA-2018:1932)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-3073.NASL
    description An update for zsh is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The zsh shell is a command interpreter usable as an interactive login shell and as a shell script command processor. Zsh resembles the ksh shell (the Korn shell), but includes many enhancements. Zsh supports command-line editing, built-in spelling correction, programmable command completion, shell functions (with autoloading), a history mechanism, and more. Security Fix(es) : * zsh: Stack-based buffer overflow in gen_matches_files() at compctl.c (CVE-2018-1083) * zsh: buffer overflow for very long fds in >& fd syntax (CVE-2014-10071) * zsh: buffer overflow when scanning very long directory paths for symbolic links (CVE-2014-10072) * zsh: NULL dereference in cd in sh compatibility mode under given circumstances (CVE-2017-18205) * zsh: buffer overrun in symlinks (CVE-2017-18206) * zsh: Stack-based buffer overflow in exec.c:hashcmd() (CVE-2018-1071) * zsh: buffer overflow in utils.c:checkmailpath() can lead to local arbitrary code execution (CVE-2018-1100) * zsh: crash on copying empty hash table (CVE-2018-7549) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. The CVE-2018-1083, CVE-2018-1071, and CVE-2018-1100 issues were discovered by Richard Maciel Costa (Red Hat). Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 118524
    published 2018-10-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118524
    title RHEL 7 : zsh (RHSA-2018:3073)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2018-3073.NASL
    description From Red Hat Security Advisory 2018:3073 : An update for zsh is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The zsh shell is a command interpreter usable as an interactive login shell and as a shell script command processor. Zsh resembles the ksh shell (the Korn shell), but includes many enhancements. Zsh supports command-line editing, built-in spelling correction, programmable command completion, shell functions (with autoloading), a history mechanism, and more. Security Fix(es) : * zsh: Stack-based buffer overflow in gen_matches_files() at compctl.c (CVE-2018-1083) * zsh: buffer overflow for very long fds in >& fd syntax (CVE-2014-10071) * zsh: buffer overflow when scanning very long directory paths for symbolic links (CVE-2014-10072) * zsh: NULL dereference in cd in sh compatibility mode under given circumstances (CVE-2017-18205) * zsh: buffer overrun in symlinks (CVE-2017-18206) * zsh: Stack-based buffer overflow in exec.c:hashcmd() (CVE-2018-1071) * zsh: buffer overflow in utils.c:checkmailpath() can lead to local arbitrary code execution (CVE-2018-1100) * zsh: crash on copying empty hash table (CVE-2018-7549) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. The CVE-2018-1083, CVE-2018-1071, and CVE-2018-1100 issues were discovered by Richard Maciel Costa (Red Hat). Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-11-07
    plugin id 118769
    published 2018-11-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118769
    title Oracle Linux 7 : zsh (ELSA-2018-3073)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-1094.NASL
    description This update for zsh to version 5.6.2 fixes the following issues : These security issues were fixed : - CVE-2018-0502: The beginning of a #! script file was mishandled, potentially leading to an execve call to a program named on the second line (bsc#1107296) - CVE-2018-13259: Shebang lines exceeding 64 characters were truncated, potentially leading to an execve call to a program name that is a substring of the intended one (bsc#1107294) - CVE-2018-1100: Prevent stack-based buffer overflow in the utils.c:checkmailpath function that allowed local attackers to execute arbitrary code in the context of another user (bsc#1089030). - CVE-2018-1071: Prevent stack-based buffer overflow in the exec.c:hashcmd() function that allowed local attackers to cause a denial of service (bsc#1084656). - CVE-2018-1083: Prevent buffer overflow in the shell autocomplete functionality that allowed local unprivileged users to create a specially crafted directory path which lead to code execution in the context of the user who tries to use autocomplete to traverse the mentioned path (bsc#1087026). - Disallow evaluation of the initial values of integer variables imported from the environment These non-security issues were fixed : - Fixed that the signal SIGWINCH was being ignored when zsh is not in the foreground. - Fixed two regressions with pipelines getting backgrounded and emitting the signal SIGTTOU - The effect of the NO_INTERACTIVE_COMMENTS option extends into $(...) and `...` command substitutions when used on the command line. - The 'exec' and 'command' precommand modifiers, and options to them, are now parsed after parameter expansion. - Functions executed by ZLE widgets no longer have their standard input closed, but redirected from /dev/null instead. - There is an option WARN_NESTED_VAR, a companion to the existing WARN_CREATE_GLOBAL that causes a warning if a function updates a variable from an enclosing scope without using typeset -g. - zmodload now has an option -s to be silent on a failure to find a module but still print other errors. - Fix typo in chflags completion - Fixed invalid git commands completion - VCS info system: vcs_info git: Avoid a fork. - Fix handling of 'printf -' and 'printf --' - fix broken completion for filterdiff (boo#1019130) - Unicode9 support, this needs support from your terminal to work correctly. - The new word modifier ':P' computes the physical path of the argument. - The output of 'typeset -p' uses 'export' commands or the '-g' option for parameters that are not local to the current scope. - vi-repeat-change can repeat user-defined widgets if the widget calls zle -f vichange. - The parameter $registers now makes the contents of vi register buffers available to user-defined widgets. - New vi-up-case and vi-down-case builtin widgets bound to gU/gu (or U/u in visual mode) for doing case conversion. - A new select-word-match function provides vim-style text objects with configurable word boundaries using the existing match-words-by-style mechanism. - Support for the conditional expression [[ -v var ]] to test if a variable is set for compatibility with other shells. - The print and printf builtins have a new option -v to assign the output to a variable. - New x: syntax in completion match specifications make it possible to disable match specifications hardcoded in completion functions. - Re-add custom zshrc and zshenv to unbreak compatibility with old usage (boo#998858). - Read /etc/profile as zsh again. - The new module zsh/param/private can be loaded to allow the shell to define parameters that are private to a function scope (i.e. are not propagated to nested functions called within this function). - The GLOB_STAR_SHORT option allows the pattern **/* to be shortened to just ** if no / follows. so **.c searches recursively for a file whose name has the suffix '.c'. - The effect of the WARN_CREATE_GLOBAL option has been significantly extended, so expect it to cause additional warning messages about parameters created globally within function scope. - The print builtin has new options -x and -X to expand tabs. - Several new command completions and numerous updates to others. - Options to 'fc' to segregate internal and shared history. - All emulations including 'sh' use multibyte by default; several repairs to multibyte handling. - ZLE supports 'bracketed paste' mode to avoid interpreting pasted newlines as accept-line. Pastes can be highlighted for visibility and to make it more obvious whether accept-line has occurred. - Improved (though still not perfect) POSIX compatibility for getopts builtin when POSIX_BUILTINS is set. - New setopt APPEND_CREATE for POSIX-compatible NO_CLOBBER behavior. - Completion of date values now displays in a calendar format when the complist module is available. Controllable by zstyle. - New parameter UNDO_LIMIT_NO for more control over ZLE undo repeat. - Several repairs/improvements to the contributed narrow-to-region ZLE function. - Many changes to child-process and signal handling to eliminate race conditions and avoid deadlocks on descriptor and memory management. - New builtin sysopen in zsh/system module for detailed control of file descriptor modes. - Fix a printf regression boo#934175 - Global aliases can be created for syntactic tokens such as command separators (';', '&', '|', '&&', '||'), redirection operators, etc. - There have been various further improvements to builtin handling with the POSIX_BUILTINS option (off by default) for compatibility with the POSIX standard. - 'whence -v' is now more informative, and 'whence -S' shows you how a full chain of symbolic links resolves to a command. - The 'p' parameter flag now allows an argument to be specified as a reference to a variable, e.g. ${(ps.$sep.)foo} to split $foo on a string given by $sep. - The option FORCE_FLOAT now forces variables, not just constants, to floating point in arithmetic expressions. - The type of an assignment in arithmetic expressions, e.g. the type seen by the variable res in $(( res = a = b )), is now more logical and C-like. - The default binding of 'u' in vi command mode has changed to undo multiple changes when invoked repeatedly. '^R' is now bound to redo changes. To revert to toggling of the last edit use: bindkey -a u vi-undo-change - Compatibility with Vim has been improved for vi editing mode. Most notably, Vim style text objects are supported and the region can be manipulated with vi commands in the same manner as Vim's visual mode. - Elements of the watch variable may now be patterns. - The logic for retrying history locking has been improved. - Fix openSUSE versions in osc completion - Add back rpm completion file (boo#900424)
    last seen 2019-02-21
    modified 2018-10-29
    plugin id 117898
    published 2018-10-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117898
    title openSUSE Security Update : zsh (openSUSE-2018-1094)
  • NASL family Amazon Linux Local Security Checks
    NASL id AL2_ALAS-2018-1013.NASL
    description 1553531 : Stack-based buffer overflow in exec.c:hashcmd() zsh through version 5.4.2 is vulnerable to a stack-based buffer overflow in the exec.c:hashcmd() function. A local attacker could exploit this to cause a denial of service.(CVE-2018-1071) Stack-based buffer overflow in gen_matches_files() at compctl.c A buffer overflow flaw was found in the zsh shell auto-complete functionality. A local, unprivileged user can create a specially crafted directory path which leads to code execution in the context of the user who tries to use auto-complete to traverse the before mentioned path. If the user affected is privileged, this leads to privilege escalation.(CVE-2018-1083) Buffer overflow in utils.c:checkmailpath() can lead to local arbitrary code execution A buffer overflow flaw was found in the zsh shell check path functionality. A local, unprivileged user can create a specially crafted message file, which, if used to set a custom 'you have new mail' message, leads to code execution in the context of the user who receives the message. If the user affected is privileged, this leads to privilege escalation.(CVE-2018-1100)
    last seen 2019-02-21
    modified 2018-08-31
    plugin id 109692
    published 2018-05-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109692
    title Amazon Linux 2 : zsh (ALAS-2018-1013)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2018-2_0-0050.NASL
    description An update of {'perl', 'libmspack', 'zsh'} packages of Photon OS has been released.
    last seen 2019-02-21
    modified 2019-02-07
    plugin id 111305
    published 2018-07-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111305
    title Photon OS 2.0 : perl / libmspack / zsh (PhotonOS-PHSA-2018-2.0-0050) (deprecated)
redhat via4
advisories
  • bugzilla
    id 1563395
    title CVE-2018-1100 zsh: buffer overflow in utils.c:checkmailpath() can lead to local arbitrary code execution
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhsa:tst:20100842001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhsa:tst:20100842002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20100842003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20100842004
    • OR
      • AND
        • comment zsh is earlier than 0:4.3.11-8.el6
          oval oval:com.redhat.rhsa:tst:20181932005
        • comment zsh is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20181932006
      • AND
        • comment zsh-html is earlier than 0:4.3.11-8.el6
          oval oval:com.redhat.rhsa:tst:20181932007
        • comment zsh-html is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20181932008
    rhsa
    id RHSA-2018:1932
    released 2018-06-19
    severity Moderate
    title RHSA-2018:1932: zsh security update (Moderate)
  • rhsa
    id RHSA-2018:3073
rpms
  • zsh-0:4.3.11-8.el6
  • zsh-html-0:4.3.11-8.el6
  • zsh-0:5.0.2-31.el7
  • zsh-html-0:5.0.2-31.el7
refmap via4
confirm
gentoo GLSA-201805-10
ubuntu USN-3764-1
Last major update 11-04-2018 - 15:29
Published 11-04-2018 - 15:29
Last modified 08-03-2019 - 10:14
Back to Top