openSUSE Leap 42.3: 2018:2966-1 Critical: zsh Exec Vulnerability

opensuse

October 2, 2018

An update that solves 5 vulnerabilities and has four fixes is now available.

Description

This update for zsh to version 5.6.2 fixes the following issues:

These security issues were fixed:

- CVE-2018-0502: The beginning of a #! script file was mishandled,

potentially leading to an execve call to a program named on the second

line (bsc#1107296)

- CVE-2018-13259: Shebang lines exceeding 64 characters were truncated,

potentially leading to an execve call to a program name that is a

substring of the intended one (bsc#1107294)

- CVE-2018-1100: Prevent stack-based buffer overflow in the

utils.c:checkmailpath function that allowed local attackers to execute

arbitrary code in the context of another user (bsc#1089030).

- CVE-2018-1071: Prevent stack-based buffer overflow in the

exec.c:hashcmd() function that allowed local attackers to cause a denial

of service (bsc#1084656).

- CVE-2018-1083: Prevent buffer overflow in the shell autocomplete

functionality that allowed local unprivileged users to create a

...

Read the Full Advisory

Topics Covered

security advisory buffer overflow important openSUSE exec vulnerability zsh

Patch

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods

like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-1094=1

Package List

- openSUSE Leap 42.3 (x86_64):

zsh-5.6.2-9.6.1

zsh-debuginfo-5.6.2-9.6.1

zsh-debugsource-5.6.2-9.6.1

zsh-htmldoc-5.6.2-9.6.1

References

https://www.suse.com/security/cve/CVE-2018-0502.html

https://www.suse.com/security/cve/CVE-2018-1071.html

https://www.suse.com/security/cve/CVE-2018-1083.html

https://www.suse.com/security/cve/CVE-2018-1100.html

https://www.suse.com/security/cve/CVE-2018-13259.html

https://bugzilla.suse.com/1019130

https://bugzilla.suse.com/1084656

https://bugzilla.suse.com/1087026

https://bugzilla.suse.com/1089030

https://bugzilla.suse.com/1107294

https://bugzilla.suse.com/1107296

https://bugzilla.suse.com/900424

https://bugzilla.suse.com/934175

https://bugzilla.suse.com/998858

Severity

critical

Lowest

Low

Medium

High

Critical

Announcement ID: openSUSE-SU-2018:2966-1

Rating: important

Affected Products: openSUSE Leap 42.3 le.

Topics Covered

security advisory buffer overflow important openSUSE exec vulnerability zsh

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!

Like staying secure? So do we.
Sign up for updates, tips, and alerts!

Topics Covered

Topics Covered

Search News & Updates

Recent Searches

Search Advisories & Updates

Recent Searches

Get the latest News and Insights

Our Top Picks

openSUSE Leap 42.3: 2018:2966-1 Critical: zsh Exec Vulnerability

Description

Topics Covered

Patch

Package List

References

Topics Covered

Get the latest News and Insights

Related News

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!

Topics Covered

Topics Covered

Search News & Updates

Recent Searches

Search Advisories & Updates

Recent Searches

Get the latest News and Insights

Our Top Picks

openSUSE Leap 42.3: 2018:2966-1 Critical: zsh Exec Vulnerability

Description

Topics Covered

Patch

Package List

References

Topics Covered

Get the latest News and Insights

Related Articles

Related News

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!