[SECURITY] [DLA 1335-1] zsh security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package : zsh
Version : 4.3.17-1+deb7u2
CVE ID : CVE-2018-1071 CVE-2018-1083
Debian Bug : 894044 894043
Two security vulnerabilities were discovered in the Z shell.
CVE-2018-1071
Stack-based buffer overflow in the exec.c:hashcmd() function.
A local attacker could exploit this to cause a denial of service.
CVE-2018-1083
Buffer overflow in the shell autocomplete functionality. A local
unprivileged user can create a specially crafted directory path which
leads to code execution in the context of the user who tries to use
autocomplete to traverse the before mentioned path. If the user
affected is privileged, this leads to privilege escalation.
For Debian 7 "Wheezy", these problems have been fixed in version
4.3.17-1+deb7u2.
We recommend that you upgrade your zsh packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlrACWpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeR2Hw/9HbQkC/tEWfcMmgzh4OQpX3Kph3/Bolv7lJWDF2T7wtmkLxQ6cTqhNoIj
xnoyjXLL+/NI3Oj2kP2fEKXPKHxdXNrMgn8u6Gz3f/jVnmxFsUD2UD1/jQkEV91Z
EovtVLsnSUvxPnjB/e4cBbHxVpiuYCdHTRNWOWEQRadTkqnXODg2/cY1Dix24gab
oollrxh4JbYv2Ww8uKd4NUqtetnsfCIwmoip/gv2sZIXZZ4OvNJOXv+w5OKlmG55
YXvqIUgDAQqVqziMDPVgsCesNrpkoZiHUlSllWYBLfV33MKeAxkVoBeIpSSZqyum
doNhSHkEBWvbQ+or2oMK0sG9Vg5NfG3TbzF50O5Qf882g8KpA4qQ8Cf/rP4fU0Sr
y2w644hIXxzSwhOAd2R3GnEwUmOq/HYJqbAFE9P4oiFt8FvaCC8dL4DnBuiiMyA4
ER/FtcWPIeA7qoJZibyFoDlyjsF8ycVcXR6SIWhBi+KW+uys+GROhEUiEprN93xa
hCr9vEgEMefDftULsQq4hS+17ZSyympte1uu1alAJmM4MfQSD9dwED+RqlZnuSz5
Ome6I5CMCfyVan8amiUq33KEgsnWX165diCdxTJYZDsQz7FcpmZOm3Sp3/9MbP6n
ZfahjMcThKdgT0OMumw/nkdjMYSX+FyK/osFWpzadwjixeAmIfQ=
=lxP+
-----END PGP SIGNATURE-----
Reply to: