Stay Secure with the Latest Linux Advisories

security advisorysecurity issuefedora

Fedora 27 Security Update: zsh Shebang Parsing Critical Threat

- fix two security issues in shebang line parsing (CVE-2018-0502 CVE-2018-13259). --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2018-8b1b2373b4 2018-09-14 21:53:10.774424 --------------------------------------------------------------------------------Name : zsh Product : Fedora 27 Version : 5.4.1 Release : 4.fc27 URL : https://zsh.sourceforge.io/ Summary : Powerful interactive shell Description : The zsh shell is a command interpreter usable as an interactive login shell and as a shell script command processor. Zsh resembles the ksh shell (the Korn shell), but includes many enhancements. Zsh supports command line editing, built-in spelling correction, programmable command completion, shell functions (with autoloading), a history mechanism, and more. --------------------------------------------------------------------------------Update Information: - fix two security issues in shebang line parsing (CVE-2018-0502 CVE-2018-13259) --------------------------------------------------------------------------------ChangeLog: * Tue Sep 4 2018 Kamil Dudka - 5.4.1-4 - fix two security issues in shebang line parsing (CVE-2018-0502 CVE-2018-13259) * Wed Apr 18 2018 Kamil Dudka - 5.4.1-3 - fix stack-based buffer overflow in utils.c:checkmailpath() (CVE-2018-1100) - fix stack-based buffer overflow in gen_matches_files() (CVE-2018-1083) - fix stack-based buffer overflow in exec.c:hashcmd() (CVE-2018-1071) * Tue Mar 6 2018 Kamil Dudka - 5.4.1-2 - avoid crash when copying empty hash table (CVE-2018-7549) - avoid NULL dereference when using ${(PA)...} on an empty array (CVE-2018-7548) --------------------------------------------------------------------------------References: [ 1 ] Bug #1626185 - CVE-2018-13259 zsh: Improper handling of shebang line longer than 64 [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1626185 [ 2 ] Bug #1626190 - CVE-2018-0502 zsh:Improper parsing of the shebang line with special chars [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1626190 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2018-8b1b2373b4' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it. To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it./ . Resolution for two major security vulnerabilities discovered in zsh shebang interpretation on Fedora 27. Prompt upgrade advised.. Fedora Security Update, Zsh Shell Update, Security Issue Fix. . Severity: Critical. LinuxSecurity.com Team

Sep 14, 2018 •Critical Fedora