Re: [Pkg-zsh-devel] Wheezy update of zsh?
Hi.
On Thursday 01 March 2018 04:20 AM, Axel Beckert wrote:
[..]
> I do not demand to test the package, but I offer to do so. I actually
> feel a little bit obliged towards the LTS team to do at least that.
> :-)
>
> So feel free to contact me (or the pkg-zsh-devel list) once a package
> is available for testing.
>
I prepared an update[1] for zsh. Debdiff attached along with the mail.
It would be great if you do some testing.
[..]
> Regards, Axel
>
Thanks
-abhijith
wearing Debian LTS member hat.
[1]
https://mentors.debian.net/debian/pool/main/z/zsh/zsh_4.3.17-1+deb7u1.dsc
build: http://159.65.202.84/
diff -Nru zsh-4.3.17/debian/changelog zsh-4.3.17/debian/changelog
--- zsh-4.3.17/debian/changelog 2012-02-29 05:05:54.000000000 +0530
+++ zsh-4.3.17/debian/changelog 2018-03-05 21:34:11.000000000 +0530
@@ -1,3 +1,18 @@
+zsh (4.3.17-1+deb7u1) wheezy-security; urgency=high
+
+ * Non-maintainer upload by the Debian LTS Team.
+ * Fix CVE-2014-10070: privilege-elevation contexts when the
+ environment has not been properly sanitized
+ * Fix CVE-2014-10071: buffer overflow for very long fds in the
+ ">& fd" syntax in exec.c
+ * Fix CVE-2014-10072: buffer overflow when scanning very long
+ directory paths for symbolic links
+ * Fix CVE-2016-10714: off-by-one error resulted in undersized buffers
+ that were intended to support PATH_MAX
+ * Fix CVE-2017-18206: symlink expansion has buffer overflow
+
+ -- Abhijith PA <abhijith@disroot.org> Mon, 05 Mar 2018 16:04:11 +0000
+
zsh (4.3.17-1) unstable; urgency=low
* New upstream release
diff -Nru zsh-4.3.17/debian/patches/CVE-2014-10070.patch zsh-4.3.17/debian/patches/CVE-2014-10070.patch
--- zsh-4.3.17/debian/patches/CVE-2014-10070.patch 1970-01-01 05:30:00.000000000 +0530
+++ zsh-4.3.17/debian/patches/CVE-2014-10070.patch 2018-03-05 19:40:59.000000000 +0530
@@ -0,0 +1,105 @@
+Description: Fix CVE-2014-10070
+ Zsh version before 5.0.7 allows evaluation of the initial values of integer
+ variables imported from the environment (instead of treating them as literal
+ numbers). That could allow local privilege escalation, under some specific and
+ atypical conditions where zsh is being invoked in privilege-elevation contexts
+ when the environment has not been properly sanitized, such as when zsh is
+ invoked by sudo on systems where "env_reset" has been disabled
+ .
+ This patch tries to safely import numerical variables from environment.
+Author: Abhijith PA <abhijith@disroot.org>
+Origin: https://sourceforge.net/p/zsh/code/ci/546203a770cec329e73781c3c8ab1078390aee72
+Last-Update: 2018-03-04
+
+--- zsh-4.3.17.orig/Src/params.c
++++ zsh-4.3.17/Src/params.c
+@@ -318,9 +318,12 @@ IPDEF4("ZSH_SUBSHELL", &zsh_subshell),
+ #define IPDEF5(A,B,F) {{NULL,A,PM_INTEGER|PM_SPECIAL},BR((void *)B),GSU(varinteger_gsu),10,0,NULL,NULL,NULL,0}
+ IPDEF5("COLUMNS", &zterm_columns, zlevar_gsu),
+ IPDEF5("LINES", &zterm_lines, zlevar_gsu),
+-IPDEF5("OPTIND", &zoptind, varinteger_gsu),
+ IPDEF5("SHLVL", &shlvl, varinteger_gsu),
+-IPDEF5("TRY_BLOCK_ERROR", &try_errflag, varinteger_gsu),
++
++/* Don't import internal integer status variables. */
++#define IPDEF6(A,B,F) {{NULL,A,PM_INTEGER|PM_SPECIAL|PM_DONTIMPORT},BR((void *)B),GSU(F),10,0,NULL,NULL,NULL,0}
++IPDEF6("OPTIND", &zoptind, varinteger_gsu),
++IPDEF6("TRY_BLOCK_ERROR", &try_errflag, varinteger_gsu),
+
+ #define IPDEF7(A,B) {{NULL,A,PM_SCALAR|PM_SPECIAL},BR((void *)B),GSU(varscalar_gsu),0,0,NULL,NULL,NULL,0}
+ IPDEF7("OPTARG", &zoptarg),
+@@ -733,7 +736,8 @@ createparamtable(void)
+ if (!idigit(*iname) && isident(iname) && !strchr(iname, '[')) {
+ if ((!(pm = (Param) paramtab->getnode(paramtab, iname)) ||
+ !(pm->node.flags & PM_DONTIMPORT || pm->node.flags & PM_EXPORTED)) &&
+- (pm = setsparam(iname, metafy(ivalue, -1, META_DUP)))) {
++ (pm = assignsparam(iname, metafy(ivalue, -1, META_DUP),
++ ASSPM_ENV_IMPORT))) {
+ pm->node.flags |= PM_EXPORTED;
+ if (pm->node.flags & PM_SPECIAL)
+ pm->env = mkenvstr (pm->node.nam,
+@@ -2249,6 +2253,13 @@ export_param(Param pm)
+ mod_export void
+ setstrvalue(Value v, char *val)
+ {
++ assignstrvalue(v, val, 0);
++}
++
++/**/
++mod_export void
++assignstrvalue(Value v, char *val, int flags)
++{
+ if (unset(EXECOPT))
+ return;
+ if (v->pm->node.flags & PM_READONLY) {
+@@ -2325,7 +2336,13 @@ setstrvalue(Value v, char *val)
+ break;
+ case PM_INTEGER:
+ if (val) {
+- v->pm->gsu.i->setfn(v->pm, mathevali(val));
++ zlong ival;
++ if (flags & ASSPM_ENV_IMPORT) {
++ char *ptr;
++ ival = zstrtol(val, &ptr, 0);
++ } else
++ ival = mathevali(val);
++ v->pm->gsu.i->setfn(v->pm, ival);
+ if ((v->pm->node.flags & (PM_LEFT | PM_RIGHT_B | PM_RIGHT_Z)) &&
+ !v->pm->width)
+ v->pm->width = strlen(val);
+@@ -2337,7 +2354,13 @@ setstrvalue(Value v, char *val)
+ case PM_EFLOAT:
+ case PM_FFLOAT:
+ if (val) {
+- mnumber mn = matheval(val);
++ mnumber mn;
++ if (flags & ASSPM_ENV_IMPORT) {
++ char *ptr;
++ mn.type = MN_FLOAT;
++ mn.u.d = strtod(val, &ptr);
++ } else
++ mn = matheval(val);
+ v->pm->gsu.f->setfn(v->pm, (mn.type & MN_FLOAT) ? mn.u.d :
+ (double)mn.u.l);
+ if ((v->pm->node.flags & (PM_LEFT | PM_RIGHT_B | PM_RIGHT_Z)) &&
+@@ -2720,7 +2743,7 @@ assignsparam(char *s, char *val, int fla
+ }
+ }
+
+- setstrvalue(v, val);
++ assignstrvalue(v, val, flags);
+ unqueue_signals();
+ return v->pm;
+ }
+--- zsh-4.3.17.orig/Src/zsh.h
++++ zsh-4.3.17/Src/zsh.h
+@@ -1726,7 +1726,8 @@ struct paramdef {
+ */
+ enum {
+ ASSPM_AUGMENT = 1 << 0,
+- ASSPM_WARN_CREATE = 1 << 1
++ ASSPM_WARN_CREATE = 1 << 1,
++ ASSPM_ENV_IMPORT = 1 << 2
+ };
+
+ /* node for named directory hash table (nameddirtab) */
diff -Nru zsh-4.3.17/debian/patches/CVE-2014-10071.patch zsh-4.3.17/debian/patches/CVE-2014-10071.patch
--- zsh-4.3.17/debian/patches/CVE-2014-10071.patch 1970-01-01 05:30:00.000000000 +0530
+++ zsh-4.3.17/debian/patches/CVE-2014-10071.patch 2018-03-05 19:40:59.000000000 +0530
@@ -0,0 +1,19 @@
+Description: Fix CVE-2014-10071
+ In exec.c in zsh before 5.0.7, there is a buffer overflow for very long fds
+ in the ">& fd" syntax.
+
+Author: Abhijith PA <abhijith@disroot.org>
+Origin: https://sourceforge.net/p/zsh/code/ci/49a3086bb67575435251c70ee598e2fd406ef055
+Last-Update: 2018-03-04
+
+--- zsh-4.3.17.orig/Src/exec.c
++++ zsh-4.3.17/Src/exec.c
+@@ -3080,7 +3080,7 @@ execcmd(Estate state, int input, int out
+ fil = dup(fd);
+ }
+ if (fil == -1) {
+- char fdstr[4];
++ char fdstr[DIGBUFSIZE];
+
+ closemnodes(mfds);
+ fixfds(save);
diff -Nru zsh-4.3.17/debian/patches/CVE-2014-10072.patch zsh-4.3.17/debian/patches/CVE-2014-10072.patch
--- zsh-4.3.17/debian/patches/CVE-2014-10072.patch 1970-01-01 05:30:00.000000000 +0530
+++ zsh-4.3.17/debian/patches/CVE-2014-10072.patch 2018-03-05 19:41:00.000000000 +0530
@@ -0,0 +1,85 @@
+Description: Fix CVE-2014-10072
+ In utils.c in zsh before 5.0.6, there is a buffer overflow when scanning very
+ long directory paths for symbolic links.
+
+Author: Abhijith PA <abhijith@disroot.org>
+Origin: https://sourceforge.net/p/zsh/code/ci/3e06aeabd8a9e8384ebaa8b08996cd1f64737210
+Last-Update: 2018-03-04
+
+Index: zsh-4.3.17/Src/utils.c
+===================================================================
+--- zsh-4.3.17.orig/Src/utils.c
++++ zsh-4.3.17/Src/utils.c
+@@ -721,32 +721,37 @@ xsymlinks(char *s)
+ char **pp, **opp;
+ char xbuf2[PATH_MAX*2], xbuf3[PATH_MAX*2];
+ int t0, ret = 0;
++ zulong xbuflen = strlen(xbuf);
+
+ opp = pp = slashsplit(s);
+- for (; *pp; pp++) {
+- if (!strcmp(*pp, ".")) {
+- zsfree(*pp);
++ for (; xbuflen < sizeof(xbuf) && *pp; pp++) {
++ if (!strcmp(*pp, "."))
+ continue;
+- }
++
+ if (!strcmp(*pp, "..")) {
+ char *p;
+
+- zsfree(*pp);
+ if (!strcmp(xbuf, "/"))
+ continue;
+ if (!*xbuf)
+ continue;
+- p = xbuf + strlen(xbuf);
+- while (*--p != '/');
++ p = xbuf + xbuflen;
++ while (*--p != '/')
++ xbuflen--;
+ *p = '\0';
+ continue;
+ }
+ sprintf(xbuf2, "%s/%s", xbuf, *pp);
+ t0 = readlink(unmeta(xbuf2), xbuf3, PATH_MAX);
+ if (t0 == -1) {
+- strcat(xbuf, "/");
+- strcat(xbuf, *pp);
+- zsfree(*pp);
++ zulong pplen = strlen(*pp) + 1;
++ if ((xbuflen += pplen) < sizeof(xbuf)) {
++ strcat(xbuf, "/");
++ strcat(xbuf, *pp);
++ } else {
++ *xbuf = 0;
++ break;
++ }
+ } else {
+ ret = 1;
+ metafy(xbuf3, t0, META_NOALLOC);
+@@ -755,10 +760,9 @@ xsymlinks(char *s)
+ xsymlinks(xbuf3 + 1);
+ } else
+ xsymlinks(xbuf3);
+- zsfree(*pp);
+- }
++ }
+ }
+- free(opp);
++ freearray(opp);
+ return ret;
+ }
+
+@@ -775,8 +779,10 @@ xsymlink(char *s)
+ return NULL;
+ *xbuf = '\0';
+ xsymlinks(s + 1);
+- if (!*xbuf)
++ if (!*xbuf) {
++ zwarn("path expansion failed, using root directory");
+ return ztrdup("/");
++ }
+ return ztrdup(xbuf);
+ }
+
diff -Nru zsh-4.3.17/debian/patches/CVE-2016-10714.patch zsh-4.3.17/debian/patches/CVE-2016-10714.patch
--- zsh-4.3.17/debian/patches/CVE-2016-10714.patch 1970-01-01 05:30:00.000000000 +0530
+++ zsh-4.3.17/debian/patches/CVE-2016-10714.patch 2018-03-05 21:19:34.000000000 +0530
@@ -0,0 +1,216 @@
+Description: Fix CVE-2016-10714
+ n zsh before 5.3, an off-by-one error resulted in undersized buffers that were
+ intended to support PATH_MAX characters.
+
+Author: Abhijith PA <abhijith@disroot.org>
+Origin: https://sourceforge.net/p/zsh/code/ci/a62e1640bcafbb82d86ea8d8ce057a83c4683d60
+Last-Update: 2018-03-05
+
+Index: zsh-4.3.17/Src/Zle/compctl.c
+===================================================================
+--- zsh-4.3.17.orig/Src/Zle/compctl.c
++++ zsh-4.3.17/Src/Zle/compctl.c
+@@ -2136,7 +2136,7 @@ gen_matches_files(int dirs, int execs, i
+ {
+ DIR *d;
+ struct stat buf;
+- char *n, p[PATH_MAX], *q = NULL, *e, *pathpref;
++ char *n, p[PATH_MAX+1], *q = NULL, *e, *pathpref;
+ LinkList l = NULL;
+ int ns = 0, ng = opts[NULLGLOB], test, aw = addwhat, pathpreflen;
+
+Index: zsh-4.3.17/Src/builtin.c
+===================================================================
+--- zsh-4.3.17.orig/Src/builtin.c
++++ zsh-4.3.17/Src/builtin.c
+@@ -936,7 +936,7 @@ cd_do_chdir(char *cnam, char *dest, int
+ * Normalize path under Cygwin to avoid messing with
+ * DOS style names with drives in them
+ */
+- static char buf[PATH_MAX];
++ static char buf[PATH_MAX+1];
+ #ifndef _SYS_CYGWIN_H
+ void cygwin_conv_to_posix_path(const char *, char *);
+ #endif
+Index: zsh-4.3.17/Src/compat.c
+===================================================================
+--- zsh-4.3.17.orig/Src/compat.c
++++ zsh-4.3.17/Src/compat.c
+@@ -270,7 +270,7 @@ zgetdir(struct dirsav *d)
+ int len;
+ #endif
+
+- buf = zhalloc(bufsiz = PATH_MAX);
++ buf = zhalloc(bufsiz = PATH_MAX+1);
+ pos = bufsiz - 1;
+ buf[pos] = '\0';
+ strcpy(nbuf, "../");
+@@ -439,7 +439,7 @@ zgetcwd(void)
+ free(cwd);
+ }
+ #else
+- char *cwdbuf = zalloc(PATH_MAX);
++ char *cwdbuf = zalloc(PATH_MAX+1);
+ ret = getcwd(cwdbuf, PATH_MAX);
+ if (ret)
+ ret = dupstring(ret);
+Index: zsh-4.3.17/Src/exec.c
+===================================================================
+--- zsh-4.3.17.orig/Src/exec.c
++++ zsh-4.3.17/Src/exec.c
+@@ -424,7 +424,7 @@ static int
+ zexecve(char *pth, char **argv, char **newenvp)
+ {
+ int eno;
+- static char buf[PATH_MAX * 2];
++ static char buf[PATH_MAX * 2+1];
+ char **eep;
+
+ unmetafy(pth, NULL);
+@@ -560,7 +560,7 @@ static void
+ execute(LinkList args, int flags, int defpath)
+ {
+ Cmdnam cn;
+- char buf[MAXCMDLEN], buf2[MAXCMDLEN];
++ char buf[MAXCMDLEN+1], buf2[MAXCMDLEN+1];
+ char *s, *z, *arg0;
+ char **argv, **pp, **newenvp = NULL;
+ int eno = 0, ee;
+@@ -641,7 +641,7 @@ execute(LinkList args, int flags, int de
+
+ /* for command -p, search the default path */
+ if (defpath) {
+- char *s, pbuf[PATH_MAX];
++ char *s, pbuf[PATH_MAX+1];
+ char *dptr, *pe, *ps = DEFAULT_PATH;
+
+ for(;ps;ps = pe ? pe+1 : NULL) {
+@@ -678,7 +678,7 @@ execute(LinkList args, int flags, int de
+ } else {
+
+ if ((cn = (Cmdnam) cmdnamtab->getnode(cmdnamtab, arg0))) {
+- char nn[PATH_MAX], *dptr;
++ char nn[PATH_MAX+1], *dptr;
+
+ if (cn->node.flags & HASHED)
+ strcpy(nn, cn->u.cmd);
+@@ -763,7 +763,7 @@ findcmd(char *arg0, int docopy)
+ break;
+ }
+ if (cn) {
+- char nn[PATH_MAX];
++ char nn[PATH_MAX+1];
+
+ if (cn->node.flags & HASHED)
+ strcpy(nn, cn->u.cmd);
+@@ -844,7 +844,7 @@ mod_export Cmdnam
+ hashcmd(char *arg0, char **pp)
+ {
+ Cmdnam cn;
+- char *s, buf[PATH_MAX];
++ char *s, buf[PATH_MAX+1];
+ char **pq;
+
+ for (; *pp; pp++)
+@@ -4729,7 +4729,7 @@ runshfunc(Eprog prog, FuncWrap wrap, cha
+ Eprog
+ getfpfunc(char *s, int *ksh, char **fname)
+ {
+- char **pp, buf[PATH_MAX];
++ char **pp, buf[PATH_MAX+1];
+ off_t len;
+ off_t rlen;
+ char *d;
+@@ -4857,7 +4857,7 @@ cancd(char *s)
+ char *t;
+
+ if (*s != '/') {
+- char sbuf[PATH_MAX], **cp;
++ char sbuf[PATH_MAX+1], **cp;
+
+ if (cancd2(s))
+ return s;
+Index: zsh-4.3.17/Src/glob.c
+===================================================================
+--- zsh-4.3.17.orig/Src/glob.c
++++ zsh-4.3.17/Src/glob.c
+@@ -267,7 +267,7 @@ addpath(char *s, int l)
+ static int
+ statfullpath(const char *s, struct stat *st, int l)
+ {
+- char buf[PATH_MAX];
++ char buf[PATH_MAX+1];
+
+ DPUTS(strlen(s) + !*s + pathpos - pathbufcwd >= PATH_MAX,
+ "BUG: statfullpath(): pathname too long");
+@@ -771,7 +771,7 @@ parsepat(char *str)
+
+ /* Now there is no (#X) in front, we can check the path. */
+ if (!pathbuf)
+- pathbuf = zalloc(pathbufsz = PATH_MAX);
++ pathbuf = zalloc(pathbufsz = PATH_MAX+1);
+ DPUTS(pathbufcwd, "BUG: glob changed directory");
+ if (*str == '/') { /* pattern has absolute path */
+ str++;
+Index: zsh-4.3.17/Src/hist.c
+===================================================================
+--- zsh-4.3.17.orig/Src/hist.c
++++ zsh-4.3.17/Src/hist.c
+@@ -1621,7 +1621,7 @@ chrealpath(char **junkptr)
+ char *lastpos, *nonreal, *real;
+ #else
+ # ifdef HAVE_REALPATH
+- char *lastpos, *nonreal, real[PATH_MAX];
++ char *lastpos, *nonreal, real[PATH_MAX+1];
+ # endif
+ #endif
+
+Index: zsh-4.3.17/Src/utils.c
+===================================================================
+--- zsh-4.3.17.orig/Src/utils.c
++++ zsh-4.3.17/Src/utils.c
+@@ -679,7 +679,7 @@ ispwd(char *s)
+ return 0;
+ }
+
+-static char xbuf[PATH_MAX*2];
++static char xbuf[PATH_MAX*2+1];
+
+ /**/
+ static char **
+@@ -719,7 +719,7 @@ static int
+ xsymlinks(char *s)
+ {
+ char **pp, **opp;
+- char xbuf2[PATH_MAX*2], xbuf3[PATH_MAX*2];
++ char xbuf2[PATH_MAX*2+1], xbuf3[PATH_MAX*2+1];
+ int t0, ret = 0;
+ zulong xbuflen = strlen(xbuf);
+
+@@ -913,7 +913,7 @@ finddir(char *s)
+ if(homenode.diff==1)
+ homenode.diff = 0;
+ if(!finddir_full)
+- finddir_full = zalloc(ffsz = PATH_MAX);
++ finddir_full = zalloc(ffsz = PATH_MAX+1);
+ finddir_full[0] = 0;
+ return finddir_last = NULL;
+ }
+@@ -1401,7 +1401,7 @@ checkmailpath(char **s)
+ } else if (S_ISDIR(st.st_mode)) {
+ LinkList l;
+ DIR *lock = opendir(unmeta(*s));
+- char buf[PATH_MAX * 2], **arr, **ap;
++ char buf[PATH_MAX * 2 + 1], **arr, **ap;
+ int ct = 1;
+
+ if (lock) {
+@@ -5774,7 +5774,7 @@ strsfx(char *s, char *t)
+ static int
+ upchdir(int n)
+ {
+- char buf[PATH_MAX];
++ char buf[PATH_MAX+1];
+ char *s;
+ int err = -1;
+
diff -Nru zsh-4.3.17/debian/patches/CVE-2017-18206.patch zsh-4.3.17/debian/patches/CVE-2017-18206.patch
--- zsh-4.3.17/debian/patches/CVE-2017-18206.patch 1970-01-01 05:30:00.000000000 +0530
+++ zsh-4.3.17/debian/patches/CVE-2017-18206.patch 2018-03-05 21:20:03.000000000 +0530
@@ -0,0 +1,39 @@
+Description: Fix CVE-2017-18206
+ In utils.c in zsh before 5.4, symlink expansion had a buffer overflow.
+
+Author: Abhijith PA <abhijith@disroot.org>
+Origin: https://sourceforge.net/p/zsh/code/ci/c7a9cf465dd620ef48d586026944d9bd7a0d5d6d
+Last-Update: 2018-03-05
+
+--- zsh-4.3.17.orig/Src/utils.c
++++ zsh-4.3.17/Src/utils.c
+@@ -721,7 +721,7 @@ xsymlinks(char *s)
+ char **pp, **opp;
+ char xbuf2[PATH_MAX*2+1], xbuf3[PATH_MAX*2+1];
+ int t0, ret = 0;
+- zulong xbuflen = strlen(xbuf);
++ zulong xbuflen = strlen(xbuf), pplen;
+
+ opp = pp = slashsplit(s);
+ for (; xbuflen < sizeof(xbuf) && *pp; pp++) {
+@@ -741,10 +741,18 @@ xsymlinks(char *s)
+ *p = '\0';
+ continue;
+ }
+- sprintf(xbuf2, "%s/%s", xbuf, *pp);
++ /* Includes null byte. */
++ pplen = strlen(*pp) + 1;
++ if (xbuflen + pplen + 1 > sizeof(xbuf2)) {
++ *xbuf = 0;
++ ret = -1;
++ break;
++ }
++ memcpy(xbuf2, xbuf, xbuflen);
++ xbuf2[xbuflen] = '/';
++ memcpy(xbuf2 + xbuflen + 1, *pp, pplen);
+ t0 = readlink(unmeta(xbuf2), xbuf3, PATH_MAX);
+ if (t0 == -1) {
+- zulong pplen = strlen(*pp) + 1;
+ if ((xbuflen += pplen) < sizeof(xbuf)) {
+ strcat(xbuf, "/");
+ strcat(xbuf, *pp);
diff -Nru zsh-4.3.17/debian/patches/series zsh-4.3.17/debian/patches/series
--- zsh-4.3.17/debian/patches/series 2012-02-28 04:21:40.000000000 +0530
+++ zsh-4.3.17/debian/patches/series 2018-03-05 21:20:28.000000000 +0530
@@ -1,2 +1,7 @@
deb_0000_at_configure.diff
deb_0001_at_config_h_in.diff
+CVE-2014-10070.patch
+CVE-2014-10071.patch
+CVE-2014-10072.patch
+CVE-2016-10714.patch
+CVE-2017-18206.patch
Reply to: