Alerts This Week
Warning Icon 1 764
Alerts This Week
Warning Icon 1 764

Fedora 27 Security Update: zsh Shebang Parsing Critical Threat

fedora
Calendar Grey September 14, 2018
Dist Fedora Esm H88
Resolution for two major security vulnerabilities discovered in zsh shebang interpretation on Fedora 27. Prompt upgrade advised.
- fix two security issues in shebang line parsing (CVE-2018-0502 CVE-2018-13259)

Summary

The zsh shell is a command interpreter usable as an interactive login

shell and as a shell script command processor. Zsh resembles the ksh

shell (the Korn shell), but includes many enhancements. Zsh supports

command line editing, built-in spelling correction, programmable

command completion, shell functions (with autoloading), a history

mechanism, and more.

- fix two security issues in shebang line parsing (CVE-2018-0502 CVE-2018-13259)

* Tue Sep 4 2018 Kamil Dudka - 5.4.1-4

- fix two security issues in shebang line parsing (CVE-2018-0502 CVE-2018-13259)

* Wed Apr 18 2018 Kamil Dudka - 5.4.1-3

- fix stack-based buffer overflow in utils.c:checkmailpath() (CVE-2018-1100)

- fix stack-based buffer overflow in gen_matches_files() (CVE-2018-1083)

- fix stack-based buffer overflow in exec.c:hashcmd() (CVE-2018-1071)

* Tue Mar 6 2018 Kamil Dudka - 5.4.1-2

- avoid crash when copying empty hash table (CVE-2018-7549)

- avoid NULL dereference when using ${(PA)...} on an empty array (CVE-2018-7548)

[ 1 ] Bug #1626185 - CVE-2018-13259 zsh: Improper handling of shebang line longer than 64 [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1626185

[ 2 ] Bug #1626190 - CVE-2018-0502 zsh: Improper parsing of the shebang line with special chars [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1626190

su -c 'dnf upgrade --advisory FEDORA-2018-8b1b2373b4' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Topics%20covered

Topics Covered

security advisory security issue fedora critical zsh shebang

Change Log

References

Update Instructions

Severity
critical
Lowest
Low
Medium
High
Critical

Product: Fedora 27
Version: 5.4.1
Release: 4.fc27
URL: https://zsh.sourceforge.io/
Summary: Powerful interactive shell

Topics%20covered

Topics Covered

security advisory security issue fedora critical zsh shebang

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here