[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Pkg-zsh-devel] Wheezy update of zsh?



Hi.

On Thursday 01 March 2018 04:20 AM, Axel Beckert wrote:

[..]

> I do not demand to test the package, but I offer to do so. I actually
> feel a little bit obliged towards the LTS team to do at least that.
> :-)
> 
> So feel free to contact me (or the pkg-zsh-devel list) once a package
> is available for testing.
> 

I prepared an update[1] for zsh. Debdiff attached along with the mail.
It would be great if you do some testing.

[..]
> 		Regards, Axel
> 

Thanks
-abhijith
wearing Debian LTS member hat.


[1]
https://mentors.debian.net/debian/pool/main/z/zsh/zsh_4.3.17-1+deb7u1.dsc
build: http://159.65.202.84/
diff -Nru zsh-4.3.17/debian/changelog zsh-4.3.17/debian/changelog
--- zsh-4.3.17/debian/changelog	2012-02-29 05:05:54.000000000 +0530
+++ zsh-4.3.17/debian/changelog	2018-03-05 21:34:11.000000000 +0530
@@ -1,3 +1,18 @@
+zsh (4.3.17-1+deb7u1) wheezy-security; urgency=high
+
+  * Non-maintainer upload by the Debian LTS Team.
+  * Fix CVE-2014-10070: privilege-elevation contexts when the
+    environment has not been properly sanitized
+  * Fix CVE-2014-10071: buffer overflow for very long fds in the
+    ">& fd" syntax in exec.c
+  * Fix CVE-2014-10072: buffer overflow when scanning very long
+    directory paths for symbolic links
+  * Fix CVE-2016-10714: off-by-one error resulted in undersized buffers
+    that were intended to support PATH_MAX
+  * Fix CVE-2017-18206: symlink expansion has buffer overflow
+
+ -- Abhijith PA <abhijith@disroot.org>  Mon, 05 Mar 2018 16:04:11 +0000
+
 zsh (4.3.17-1) unstable; urgency=low
 
   * New upstream release
diff -Nru zsh-4.3.17/debian/patches/CVE-2014-10070.patch zsh-4.3.17/debian/patches/CVE-2014-10070.patch
--- zsh-4.3.17/debian/patches/CVE-2014-10070.patch	1970-01-01 05:30:00.000000000 +0530
+++ zsh-4.3.17/debian/patches/CVE-2014-10070.patch	2018-03-05 19:40:59.000000000 +0530
@@ -0,0 +1,105 @@
+Description: Fix CVE-2014-10070
+ Zsh version before 5.0.7 allows evaluation of the initial values of integer 
+ variables imported from the environment (instead of treating them as literal 
+ numbers). That could allow local privilege escalation, under some specific and 
+ atypical conditions where zsh is being invoked in privilege-elevation contexts
+ when the environment has not been properly sanitized, such as when zsh is 
+ invoked by sudo on systems where "env_reset" has been disabled 
+ .
+ This patch tries to safely import numerical variables from environment.
+Author: Abhijith PA <abhijith@disroot.org>
+Origin: https://sourceforge.net/p/zsh/code/ci/546203a770cec329e73781c3c8ab1078390aee72
+Last-Update: 2018-03-04
+
+--- zsh-4.3.17.orig/Src/params.c
++++ zsh-4.3.17/Src/params.c
+@@ -318,9 +318,12 @@ IPDEF4("ZSH_SUBSHELL", &zsh_subshell),
+ #define IPDEF5(A,B,F) {{NULL,A,PM_INTEGER|PM_SPECIAL},BR((void *)B),GSU(varinteger_gsu),10,0,NULL,NULL,NULL,0}
+ IPDEF5("COLUMNS", &zterm_columns, zlevar_gsu),
+ IPDEF5("LINES", &zterm_lines, zlevar_gsu),
+-IPDEF5("OPTIND", &zoptind, varinteger_gsu),
+ IPDEF5("SHLVL", &shlvl, varinteger_gsu),
+-IPDEF5("TRY_BLOCK_ERROR", &try_errflag, varinteger_gsu),
++
++/* Don't import internal integer status variables. */
++#define IPDEF6(A,B,F) {{NULL,A,PM_INTEGER|PM_SPECIAL|PM_DONTIMPORT},BR((void *)B),GSU(F),10,0,NULL,NULL,NULL,0}
++IPDEF6("OPTIND", &zoptind, varinteger_gsu),
++IPDEF6("TRY_BLOCK_ERROR", &try_errflag, varinteger_gsu),
+ 
+ #define IPDEF7(A,B) {{NULL,A,PM_SCALAR|PM_SPECIAL},BR((void *)B),GSU(varscalar_gsu),0,0,NULL,NULL,NULL,0}
+ IPDEF7("OPTARG", &zoptarg),
+@@ -733,7 +736,8 @@ createparamtable(void)
+ 	    if (!idigit(*iname) && isident(iname) && !strchr(iname, '[')) {
+ 		if ((!(pm = (Param) paramtab->getnode(paramtab, iname)) ||
+ 		     !(pm->node.flags & PM_DONTIMPORT || pm->node.flags & PM_EXPORTED)) &&
+-		    (pm = setsparam(iname, metafy(ivalue, -1, META_DUP)))) {
++		    (pm = assignsparam(iname, metafy(ivalue, -1, META_DUP),
++                                       ASSPM_ENV_IMPORT))) {
+ 		    pm->node.flags |= PM_EXPORTED;
+ 		    if (pm->node.flags & PM_SPECIAL)
+ 			pm->env = mkenvstr (pm->node.nam,
+@@ -2249,6 +2253,13 @@ export_param(Param pm)
+ mod_export void
+ setstrvalue(Value v, char *val)
+ {
++    assignstrvalue(v, val, 0);
++}
++
++/**/
++mod_export void
++assignstrvalue(Value v, char *val, int flags)
++{
+     if (unset(EXECOPT))
+ 	return;
+     if (v->pm->node.flags & PM_READONLY) {
+@@ -2325,7 +2336,13 @@ setstrvalue(Value v, char *val)
+ 	break;
+     case PM_INTEGER:
+ 	if (val) {
+-	    v->pm->gsu.i->setfn(v->pm, mathevali(val));
++	    zlong ival;
++	    if (flags & ASSPM_ENV_IMPORT) {
++		char *ptr;
++		ival = zstrtol(val, &ptr, 0);
++	    } else
++		ival = mathevali(val);
++	    v->pm->gsu.i->setfn(v->pm, ival);
+ 	    if ((v->pm->node.flags & (PM_LEFT | PM_RIGHT_B | PM_RIGHT_Z)) &&
+ 		!v->pm->width)
+ 		v->pm->width = strlen(val);
+@@ -2337,7 +2354,13 @@ setstrvalue(Value v, char *val)
+     case PM_EFLOAT:
+     case PM_FFLOAT:
+ 	if (val) {
+-	    mnumber mn = matheval(val);
++	    mnumber mn;
++	    if (flags & ASSPM_ENV_IMPORT) {
++		char *ptr;
++		mn.type = MN_FLOAT;
++		mn.u.d = strtod(val, &ptr);
++	    } else
++		mn = matheval(val);
+ 	    v->pm->gsu.f->setfn(v->pm, (mn.type & MN_FLOAT) ? mn.u.d :
+ 			       (double)mn.u.l);
+ 	    if ((v->pm->node.flags & (PM_LEFT | PM_RIGHT_B | PM_RIGHT_Z)) &&
+@@ -2720,7 +2743,7 @@ assignsparam(char *s, char *val, int fla
+ 	}
+     }
+     
+-    setstrvalue(v, val);
++    assignstrvalue(v, val, flags);
+     unqueue_signals();
+     return v->pm;
+ }
+--- zsh-4.3.17.orig/Src/zsh.h
++++ zsh-4.3.17/Src/zsh.h
+@@ -1726,7 +1726,8 @@ struct paramdef {
+  */
+ enum {
+     ASSPM_AUGMENT = 1 << 0,
+-    ASSPM_WARN_CREATE = 1 << 1
++    ASSPM_WARN_CREATE = 1 << 1,
++    ASSPM_ENV_IMPORT = 1 << 2
+ };
+ 
+ /* node for named directory hash table (nameddirtab) */
diff -Nru zsh-4.3.17/debian/patches/CVE-2014-10071.patch zsh-4.3.17/debian/patches/CVE-2014-10071.patch
--- zsh-4.3.17/debian/patches/CVE-2014-10071.patch	1970-01-01 05:30:00.000000000 +0530
+++ zsh-4.3.17/debian/patches/CVE-2014-10071.patch	2018-03-05 19:40:59.000000000 +0530
@@ -0,0 +1,19 @@
+Description: Fix CVE-2014-10071
+ In exec.c in zsh before 5.0.7, there is a buffer overflow for very long fds 
+ in the ">& fd" syntax.
+ 
+Author: Abhijith PA <abhijith@disroot.org>
+Origin: https://sourceforge.net/p/zsh/code/ci/49a3086bb67575435251c70ee598e2fd406ef055
+Last-Update: 2018-03-04
+
+--- zsh-4.3.17.orig/Src/exec.c
++++ zsh-4.3.17/Src/exec.c
+@@ -3080,7 +3080,7 @@ execcmd(Estate state, int input, int out
+ 		    fil = dup(fd);
+ 		}
+ 		if (fil == -1) {
+-		    char fdstr[4];
++		    char fdstr[DIGBUFSIZE];
+ 
+ 		    closemnodes(mfds);
+ 		    fixfds(save);
diff -Nru zsh-4.3.17/debian/patches/CVE-2014-10072.patch zsh-4.3.17/debian/patches/CVE-2014-10072.patch
--- zsh-4.3.17/debian/patches/CVE-2014-10072.patch	1970-01-01 05:30:00.000000000 +0530
+++ zsh-4.3.17/debian/patches/CVE-2014-10072.patch	2018-03-05 19:41:00.000000000 +0530
@@ -0,0 +1,85 @@
+Description: Fix CVE-2014-10072
+  In utils.c in zsh before 5.0.6, there is a buffer overflow when scanning very 
+  long directory paths for symbolic links.
+ 
+Author: Abhijith PA <abhijith@disroot.org>
+Origin: https://sourceforge.net/p/zsh/code/ci/3e06aeabd8a9e8384ebaa8b08996cd1f64737210
+Last-Update: 2018-03-04
+
+Index: zsh-4.3.17/Src/utils.c
+===================================================================
+--- zsh-4.3.17.orig/Src/utils.c
++++ zsh-4.3.17/Src/utils.c
+@@ -721,32 +721,37 @@ xsymlinks(char *s)
+     char **pp, **opp;
+     char xbuf2[PATH_MAX*2], xbuf3[PATH_MAX*2];
+     int t0, ret = 0;
++    zulong xbuflen = strlen(xbuf);
+ 
+     opp = pp = slashsplit(s);
+-    for (; *pp; pp++) {
+-	if (!strcmp(*pp, ".")) {
+-	    zsfree(*pp);
++    for (; xbuflen < sizeof(xbuf) && *pp; pp++) {
++        if (!strcmp(*pp, "."))
+ 	    continue;
+-	}
++
+ 	if (!strcmp(*pp, "..")) {
+ 	    char *p;
+ 
+-	    zsfree(*pp);
+ 	    if (!strcmp(xbuf, "/"))
+ 		continue;
+ 	    if (!*xbuf)
+ 		continue;
+-	    p = xbuf + strlen(xbuf);
+-	    while (*--p != '/');
++	    p = xbuf + xbuflen;
++	    while (*--p != '/')
++		xbuflen--;
+ 	    *p = '\0';
+ 	    continue;
+ 	}
+ 	sprintf(xbuf2, "%s/%s", xbuf, *pp);
+ 	t0 = readlink(unmeta(xbuf2), xbuf3, PATH_MAX);
+ 	if (t0 == -1) {
+-	    strcat(xbuf, "/");
+-	    strcat(xbuf, *pp);
+-	    zsfree(*pp);
++	    zulong pplen = strlen(*pp) + 1;
++	    if ((xbuflen += pplen) < sizeof(xbuf)) {
++		strcat(xbuf, "/");
++		strcat(xbuf, *pp);
++	    } else {
++		*xbuf = 0;
++		break;
++	    }
+ 	} else {
+ 	    ret = 1;
+ 	    metafy(xbuf3, t0, META_NOALLOC);
+@@ -755,10 +760,9 @@ xsymlinks(char *s)
+ 		xsymlinks(xbuf3 + 1);
+ 	    } else
+ 		xsymlinks(xbuf3);
+-	    zsfree(*pp);
+-	}
++	    }
+     }
+-    free(opp);
++    freearray(opp);
+     return ret;
+ }
+ 
+@@ -775,8 +779,10 @@ xsymlink(char *s)
+ 	return NULL;
+     *xbuf = '\0';
+     xsymlinks(s + 1);
+-    if (!*xbuf)
++    if (!*xbuf) {
++	zwarn("path expansion failed, using root directory");
+ 	return ztrdup("/");
++    }
+     return ztrdup(xbuf);
+ }
+ 
diff -Nru zsh-4.3.17/debian/patches/CVE-2016-10714.patch zsh-4.3.17/debian/patches/CVE-2016-10714.patch
--- zsh-4.3.17/debian/patches/CVE-2016-10714.patch	1970-01-01 05:30:00.000000000 +0530
+++ zsh-4.3.17/debian/patches/CVE-2016-10714.patch	2018-03-05 21:19:34.000000000 +0530
@@ -0,0 +1,216 @@
+Description: Fix CVE-2016-10714
+ n zsh before 5.3, an off-by-one error resulted in undersized buffers that were 
+ intended to support PATH_MAX characters.
+
+Author: Abhijith PA <abhijith@disroot.org>
+Origin: https://sourceforge.net/p/zsh/code/ci/a62e1640bcafbb82d86ea8d8ce057a83c4683d60
+Last-Update: 2018-03-05
+
+Index: zsh-4.3.17/Src/Zle/compctl.c
+===================================================================
+--- zsh-4.3.17.orig/Src/Zle/compctl.c
++++ zsh-4.3.17/Src/Zle/compctl.c
+@@ -2136,7 +2136,7 @@ gen_matches_files(int dirs, int execs, i
+ {
+     DIR *d;
+     struct stat buf;
+-    char *n, p[PATH_MAX], *q = NULL, *e, *pathpref;
++    char *n, p[PATH_MAX+1], *q = NULL, *e, *pathpref;
+     LinkList l = NULL;
+     int ns = 0, ng = opts[NULLGLOB], test, aw = addwhat, pathpreflen;
+ 
+Index: zsh-4.3.17/Src/builtin.c
+===================================================================
+--- zsh-4.3.17.orig/Src/builtin.c
++++ zsh-4.3.17/Src/builtin.c
+@@ -936,7 +936,7 @@ cd_do_chdir(char *cnam, char *dest, int
+      * Normalize path under Cygwin to avoid messing with
+      * DOS style names with drives in them
+      */
+-    static char buf[PATH_MAX];
++    static char buf[PATH_MAX+1];
+ #ifndef _SYS_CYGWIN_H
+     void cygwin_conv_to_posix_path(const char *, char *);
+ #endif
+Index: zsh-4.3.17/Src/compat.c
+===================================================================
+--- zsh-4.3.17.orig/Src/compat.c
++++ zsh-4.3.17/Src/compat.c
+@@ -270,7 +270,7 @@ zgetdir(struct dirsav *d)
+     int len;
+ #endif
+ 
+-    buf = zhalloc(bufsiz = PATH_MAX);
++    buf = zhalloc(bufsiz = PATH_MAX+1);
+     pos = bufsiz - 1;
+     buf[pos] = '\0';
+     strcpy(nbuf, "../");
+@@ -439,7 +439,7 @@ zgetcwd(void)
+ 	    free(cwd);
+ 	}
+ #else
+-	char *cwdbuf = zalloc(PATH_MAX);
++	char *cwdbuf = zalloc(PATH_MAX+1);
+ 	ret = getcwd(cwdbuf, PATH_MAX);
+ 	if (ret)
+ 	    ret = dupstring(ret);
+Index: zsh-4.3.17/Src/exec.c
+===================================================================
+--- zsh-4.3.17.orig/Src/exec.c
++++ zsh-4.3.17/Src/exec.c
+@@ -424,7 +424,7 @@ static int
+ zexecve(char *pth, char **argv, char **newenvp)
+ {
+     int eno;
+-    static char buf[PATH_MAX * 2];
++    static char buf[PATH_MAX * 2+1];
+     char **eep;
+ 
+     unmetafy(pth, NULL);
+@@ -560,7 +560,7 @@ static void
+ execute(LinkList args, int flags, int defpath)
+ {
+     Cmdnam cn;
+-    char buf[MAXCMDLEN], buf2[MAXCMDLEN];
++    char buf[MAXCMDLEN+1], buf2[MAXCMDLEN+1];
+     char *s, *z, *arg0;
+     char **argv, **pp, **newenvp = NULL;
+     int eno = 0, ee;
+@@ -641,7 +641,7 @@ execute(LinkList args, int flags, int de
+ 
+     /* for command -p, search the default path */
+     if (defpath) {
+-	char *s, pbuf[PATH_MAX];
++	char *s, pbuf[PATH_MAX+1];
+ 	char *dptr, *pe, *ps = DEFAULT_PATH;
+ 
+ 	for(;ps;ps = pe ? pe+1 : NULL) {
+@@ -678,7 +678,7 @@ execute(LinkList args, int flags, int de
+     } else {
+ 
+ 	if ((cn = (Cmdnam) cmdnamtab->getnode(cmdnamtab, arg0))) {
+-	    char nn[PATH_MAX], *dptr;
++	    char nn[PATH_MAX+1], *dptr;
+ 
+ 	    if (cn->node.flags & HASHED)
+ 		strcpy(nn, cn->u.cmd);
+@@ -763,7 +763,7 @@ findcmd(char *arg0, int docopy)
+ 	    break;
+ 	}
+     if (cn) {
+-	char nn[PATH_MAX];
++	char nn[PATH_MAX+1];
+ 
+ 	if (cn->node.flags & HASHED)
+ 	    strcpy(nn, cn->u.cmd);
+@@ -844,7 +844,7 @@ mod_export Cmdnam
+ hashcmd(char *arg0, char **pp)
+ {
+     Cmdnam cn;
+-    char *s, buf[PATH_MAX];
++    char *s, buf[PATH_MAX+1];
+     char **pq;
+ 
+     for (; *pp; pp++)
+@@ -4729,7 +4729,7 @@ runshfunc(Eprog prog, FuncWrap wrap, cha
+ Eprog
+ getfpfunc(char *s, int *ksh, char **fname)
+ {
+-    char **pp, buf[PATH_MAX];
++    char **pp, buf[PATH_MAX+1];
+     off_t len;
+     off_t rlen;
+     char *d;
+@@ -4857,7 +4857,7 @@ cancd(char *s)
+     char *t;
+ 
+     if (*s != '/') {
+-	char sbuf[PATH_MAX], **cp;
++	char sbuf[PATH_MAX+1], **cp;
+ 
+ 	if (cancd2(s))
+ 	    return s;
+Index: zsh-4.3.17/Src/glob.c
+===================================================================
+--- zsh-4.3.17.orig/Src/glob.c
++++ zsh-4.3.17/Src/glob.c
+@@ -267,7 +267,7 @@ addpath(char *s, int l)
+ static int
+ statfullpath(const char *s, struct stat *st, int l)
+ {
+-    char buf[PATH_MAX];
++    char buf[PATH_MAX+1];
+ 
+     DPUTS(strlen(s) + !*s + pathpos - pathbufcwd >= PATH_MAX,
+ 	  "BUG: statfullpath(): pathname too long");
+@@ -771,7 +771,7 @@ parsepat(char *str)
+ 
+     /* Now there is no (#X) in front, we can check the path. */
+     if (!pathbuf)
+-	pathbuf = zalloc(pathbufsz = PATH_MAX);
++	pathbuf = zalloc(pathbufsz = PATH_MAX+1);
+     DPUTS(pathbufcwd, "BUG: glob changed directory");
+     if (*str == '/') {		/* pattern has absolute path */
+ 	str++;
+Index: zsh-4.3.17/Src/hist.c
+===================================================================
+--- zsh-4.3.17.orig/Src/hist.c
++++ zsh-4.3.17/Src/hist.c
+@@ -1621,7 +1621,7 @@ chrealpath(char **junkptr)
+     char *lastpos, *nonreal, *real;
+ #else
+ # ifdef HAVE_REALPATH
+-    char *lastpos, *nonreal, real[PATH_MAX];
++    char *lastpos, *nonreal, real[PATH_MAX+1];
+ # endif
+ #endif
+ 
+Index: zsh-4.3.17/Src/utils.c
+===================================================================
+--- zsh-4.3.17.orig/Src/utils.c
++++ zsh-4.3.17/Src/utils.c
+@@ -679,7 +679,7 @@ ispwd(char *s)
+     return 0;
+ }
+ 
+-static char xbuf[PATH_MAX*2];
++static char xbuf[PATH_MAX*2+1];
+ 
+ /**/
+ static char **
+@@ -719,7 +719,7 @@ static int
+ xsymlinks(char *s)
+ {
+     char **pp, **opp;
+-    char xbuf2[PATH_MAX*2], xbuf3[PATH_MAX*2];
++    char xbuf2[PATH_MAX*2+1], xbuf3[PATH_MAX*2+1];
+     int t0, ret = 0;
+     zulong xbuflen = strlen(xbuf);
+ 
+@@ -913,7 +913,7 @@ finddir(char *s)
+ 	if(homenode.diff==1)
+ 	    homenode.diff = 0;
+ 	if(!finddir_full)
+-	    finddir_full = zalloc(ffsz = PATH_MAX);
++	    finddir_full = zalloc(ffsz = PATH_MAX+1);
+ 	finddir_full[0] = 0;
+ 	return finddir_last = NULL;
+     }
+@@ -1401,7 +1401,7 @@ checkmailpath(char **s)
+ 	} else if (S_ISDIR(st.st_mode)) {
+ 	    LinkList l;
+ 	    DIR *lock = opendir(unmeta(*s));
+-	    char buf[PATH_MAX * 2], **arr, **ap;
++	    char buf[PATH_MAX * 2 + 1], **arr, **ap;
+ 	    int ct = 1;
+ 
+ 	    if (lock) {
+@@ -5774,7 +5774,7 @@ strsfx(char *s, char *t)
+ static int
+ upchdir(int n)
+ {
+-    char buf[PATH_MAX];
++    char buf[PATH_MAX+1];
+     char *s;
+     int err = -1;
+ 
diff -Nru zsh-4.3.17/debian/patches/CVE-2017-18206.patch zsh-4.3.17/debian/patches/CVE-2017-18206.patch
--- zsh-4.3.17/debian/patches/CVE-2017-18206.patch	1970-01-01 05:30:00.000000000 +0530
+++ zsh-4.3.17/debian/patches/CVE-2017-18206.patch	2018-03-05 21:20:03.000000000 +0530
@@ -0,0 +1,39 @@
+Description: Fix CVE-2017-18206
+ In utils.c in zsh before 5.4, symlink expansion had a buffer overflow.
+
+Author: Abhijith PA <abhijith@disroot.org>
+Origin: https://sourceforge.net/p/zsh/code/ci/c7a9cf465dd620ef48d586026944d9bd7a0d5d6d
+Last-Update: 2018-03-05
+
+--- zsh-4.3.17.orig/Src/utils.c
++++ zsh-4.3.17/Src/utils.c
+@@ -721,7 +721,7 @@ xsymlinks(char *s)
+     char **pp, **opp;
+     char xbuf2[PATH_MAX*2+1], xbuf3[PATH_MAX*2+1];
+     int t0, ret = 0;
+-    zulong xbuflen = strlen(xbuf);
++    zulong xbuflen = strlen(xbuf), pplen;
+ 
+     opp = pp = slashsplit(s);
+     for (; xbuflen < sizeof(xbuf) && *pp; pp++) {
+@@ -741,10 +741,18 @@ xsymlinks(char *s)
+ 	    *p = '\0';
+ 	    continue;
+ 	}
+-	sprintf(xbuf2, "%s/%s", xbuf, *pp);
++	/* Includes null byte. */
++	pplen = strlen(*pp) + 1;
++	if (xbuflen + pplen + 1 > sizeof(xbuf2)) {
++	    *xbuf = 0;
++	    ret = -1;
++	    break;
++	}
++	memcpy(xbuf2, xbuf, xbuflen);
++	xbuf2[xbuflen] = '/';
++	memcpy(xbuf2 + xbuflen + 1, *pp, pplen);
+ 	t0 = readlink(unmeta(xbuf2), xbuf3, PATH_MAX);
+ 	if (t0 == -1) {
+-	    zulong pplen = strlen(*pp) + 1;
+ 	    if ((xbuflen += pplen) < sizeof(xbuf)) {
+ 		strcat(xbuf, "/");
+ 		strcat(xbuf, *pp);
diff -Nru zsh-4.3.17/debian/patches/series zsh-4.3.17/debian/patches/series
--- zsh-4.3.17/debian/patches/series	2012-02-28 04:21:40.000000000 +0530
+++ zsh-4.3.17/debian/patches/series	2018-03-05 21:20:28.000000000 +0530
@@ -1,2 +1,7 @@
 deb_0000_at_configure.diff
 deb_0001_at_config_h_in.diff
+CVE-2014-10070.patch
+CVE-2014-10071.patch
+CVE-2014-10072.patch
+CVE-2016-10714.patch
+CVE-2017-18206.patch

Reply to: