Hi. On Thursday 01 March 2018 04:20 AM, Axel Beckert wrote:
[..] > I do not demand to test the package, but I offer to do so. I actually > feel a little bit obliged towards the LTS team to do at least that. > :-) > > So feel free to contact me (or the pkg-zsh-devel list) once a package > is available for testing. > I prepared an update[1] for zsh. Debdiff attached along with the mail. It would be great if you do some testing. [..] > Regards, Axel > Thanks -abhijith wearing Debian LTS member hat. [1] https://mentors.debian.net/debian/pool/main/z/zsh/zsh_4.3.17-1+deb7u1.dsc build: http://159.65.202.84/
diff -Nru zsh-4.3.17/debian/changelog zsh-4.3.17/debian/changelog --- zsh-4.3.17/debian/changelog 2012-02-29 05:05:54.000000000 +0530 +++ zsh-4.3.17/debian/changelog 2018-03-05 21:34:11.000000000 +0530 @@ -1,3 +1,18 @@ +zsh (4.3.17-1+deb7u1) wheezy-security; urgency=high + + * Non-maintainer upload by the Debian LTS Team. + * Fix CVE-2014-10070: privilege-elevation contexts when the + environment has not been properly sanitized + * Fix CVE-2014-10071: buffer overflow for very long fds in the + ">& fd" syntax in exec.c + * Fix CVE-2014-10072: buffer overflow when scanning very long + directory paths for symbolic links + * Fix CVE-2016-10714: off-by-one error resulted in undersized buffers + that were intended to support PATH_MAX + * Fix CVE-2017-18206: symlink expansion has buffer overflow + + -- Abhijith PA <abhij...@disroot.org> Mon, 05 Mar 2018 16:04:11 +0000 + zsh (4.3.17-1) unstable; urgency=low * New upstream release diff -Nru zsh-4.3.17/debian/patches/CVE-2014-10070.patch zsh-4.3.17/debian/patches/CVE-2014-10070.patch --- zsh-4.3.17/debian/patches/CVE-2014-10070.patch 1970-01-01 05:30:00.000000000 +0530 +++ zsh-4.3.17/debian/patches/CVE-2014-10070.patch 2018-03-05 19:40:59.000000000 +0530 @@ -0,0 +1,105 @@ +Description: Fix CVE-2014-10070 + Zsh version before 5.0.7 allows evaluation of the initial values of integer + variables imported from the environment (instead of treating them as literal + numbers). That could allow local privilege escalation, under some specific and + atypical conditions where zsh is being invoked in privilege-elevation contexts + when the environment has not been properly sanitized, such as when zsh is + invoked by sudo on systems where "env_reset" has been disabled + . + This patch tries to safely import numerical variables from environment. +Author: Abhijith PA <abhij...@disroot.org> +Origin: https://sourceforge.net/p/zsh/code/ci/546203a770cec329e73781c3c8ab1078390aee72 +Last-Update: 2018-03-04 + +--- zsh-4.3.17.orig/Src/params.c ++++ zsh-4.3.17/Src/params.c +@@ -318,9 +318,12 @@ IPDEF4("ZSH_SUBSHELL", &zsh_subshell), + #define IPDEF5(A,B,F) {{NULL,A,PM_INTEGER|PM_SPECIAL},BR((void *)B),GSU(varinteger_gsu),10,0,NULL,NULL,NULL,0} + IPDEF5("COLUMNS", &zterm_columns, zlevar_gsu), + IPDEF5("LINES", &zterm_lines, zlevar_gsu), +-IPDEF5("OPTIND", &zoptind, varinteger_gsu), + IPDEF5("SHLVL", &shlvl, varinteger_gsu), +-IPDEF5("TRY_BLOCK_ERROR", &try_errflag, varinteger_gsu), ++ ++/* Don't import internal integer status variables. */ ++#define IPDEF6(A,B,F) {{NULL,A,PM_INTEGER|PM_SPECIAL|PM_DONTIMPORT},BR((void *)B),GSU(F),10,0,NULL,NULL,NULL,0} ++IPDEF6("OPTIND", &zoptind, varinteger_gsu), ++IPDEF6("TRY_BLOCK_ERROR", &try_errflag, varinteger_gsu), + + #define IPDEF7(A,B) {{NULL,A,PM_SCALAR|PM_SPECIAL},BR((void *)B),GSU(varscalar_gsu),0,0,NULL,NULL,NULL,0} + IPDEF7("OPTARG", &zoptarg), +@@ -733,7 +736,8 @@ createparamtable(void) + if (!idigit(*iname) && isident(iname) && !strchr(iname, '[')) { + if ((!(pm = (Param) paramtab->getnode(paramtab, iname)) || + !(pm->node.flags & PM_DONTIMPORT || pm->node.flags & PM_EXPORTED)) && +- (pm = setsparam(iname, metafy(ivalue, -1, META_DUP)))) { ++ (pm = assignsparam(iname, metafy(ivalue, -1, META_DUP), ++ ASSPM_ENV_IMPORT))) { + pm->node.flags |= PM_EXPORTED; + if (pm->node.flags & PM_SPECIAL) + pm->env = mkenvstr (pm->node.nam, +@@ -2249,6 +2253,13 @@ export_param(Param pm) + mod_export void + setstrvalue(Value v, char *val) + { ++ assignstrvalue(v, val, 0); ++} ++ ++/**/ ++mod_export void ++assignstrvalue(Value v, char *val, int flags) ++{ + if (unset(EXECOPT)) + return; + if (v->pm->node.flags & PM_READONLY) { +@@ -2325,7 +2336,13 @@ setstrvalue(Value v, char *val) + break; + case PM_INTEGER: + if (val) { +- v->pm->gsu.i->setfn(v->pm, mathevali(val)); ++ zlong ival; ++ if (flags & ASSPM_ENV_IMPORT) { ++ char *ptr; ++ ival = zstrtol(val, &ptr, 0); ++ } else ++ ival = mathevali(val); ++ v->pm->gsu.i->setfn(v->pm, ival); + if ((v->pm->node.flags & (PM_LEFT | PM_RIGHT_B | PM_RIGHT_Z)) && + !v->pm->width) + v->pm->width = strlen(val); +@@ -2337,7 +2354,13 @@ setstrvalue(Value v, char *val) + case PM_EFLOAT: + case PM_FFLOAT: + if (val) { +- mnumber mn = matheval(val); ++ mnumber mn; ++ if (flags & ASSPM_ENV_IMPORT) { ++ char *ptr; ++ mn.type = MN_FLOAT; ++ mn.u.d = strtod(val, &ptr); ++ } else ++ mn = matheval(val); + v->pm->gsu.f->setfn(v->pm, (mn.type & MN_FLOAT) ? mn.u.d : + (double)mn.u.l); + if ((v->pm->node.flags & (PM_LEFT | PM_RIGHT_B | PM_RIGHT_Z)) && +@@ -2720,7 +2743,7 @@ assignsparam(char *s, char *val, int fla + } + } + +- setstrvalue(v, val); ++ assignstrvalue(v, val, flags); + unqueue_signals(); + return v->pm; + } +--- zsh-4.3.17.orig/Src/zsh.h ++++ zsh-4.3.17/Src/zsh.h +@@ -1726,7 +1726,8 @@ struct paramdef { + */ + enum { + ASSPM_AUGMENT = 1 << 0, +- ASSPM_WARN_CREATE = 1 << 1 ++ ASSPM_WARN_CREATE = 1 << 1, ++ ASSPM_ENV_IMPORT = 1 << 2 + }; + + /* node for named directory hash table (nameddirtab) */ diff -Nru zsh-4.3.17/debian/patches/CVE-2014-10071.patch zsh-4.3.17/debian/patches/CVE-2014-10071.patch --- zsh-4.3.17/debian/patches/CVE-2014-10071.patch 1970-01-01 05:30:00.000000000 +0530 +++ zsh-4.3.17/debian/patches/CVE-2014-10071.patch 2018-03-05 19:40:59.000000000 +0530 @@ -0,0 +1,19 @@ +Description: Fix CVE-2014-10071 + In exec.c in zsh before 5.0.7, there is a buffer overflow for very long fds + in the ">& fd" syntax. + +Author: Abhijith PA <abhij...@disroot.org> +Origin: https://sourceforge.net/p/zsh/code/ci/49a3086bb67575435251c70ee598e2fd406ef055 +Last-Update: 2018-03-04 + +--- zsh-4.3.17.orig/Src/exec.c ++++ zsh-4.3.17/Src/exec.c +@@ -3080,7 +3080,7 @@ execcmd(Estate state, int input, int out + fil = dup(fd); + } + if (fil == -1) { +- char fdstr[4]; ++ char fdstr[DIGBUFSIZE]; + + closemnodes(mfds); + fixfds(save); diff -Nru zsh-4.3.17/debian/patches/CVE-2014-10072.patch zsh-4.3.17/debian/patches/CVE-2014-10072.patch --- zsh-4.3.17/debian/patches/CVE-2014-10072.patch 1970-01-01 05:30:00.000000000 +0530 +++ zsh-4.3.17/debian/patches/CVE-2014-10072.patch 2018-03-05 19:41:00.000000000 +0530 @@ -0,0 +1,85 @@ +Description: Fix CVE-2014-10072 + In utils.c in zsh before 5.0.6, there is a buffer overflow when scanning very + long directory paths for symbolic links. + +Author: Abhijith PA <abhij...@disroot.org> +Origin: https://sourceforge.net/p/zsh/code/ci/3e06aeabd8a9e8384ebaa8b08996cd1f64737210 +Last-Update: 2018-03-04 + +Index: zsh-4.3.17/Src/utils.c +=================================================================== +--- zsh-4.3.17.orig/Src/utils.c ++++ zsh-4.3.17/Src/utils.c +@@ -721,32 +721,37 @@ xsymlinks(char *s) + char **pp, **opp; + char xbuf2[PATH_MAX*2], xbuf3[PATH_MAX*2]; + int t0, ret = 0; ++ zulong xbuflen = strlen(xbuf); + + opp = pp = slashsplit(s); +- for (; *pp; pp++) { +- if (!strcmp(*pp, ".")) { +- zsfree(*pp); ++ for (; xbuflen < sizeof(xbuf) && *pp; pp++) { ++ if (!strcmp(*pp, ".")) + continue; +- } ++ + if (!strcmp(*pp, "..")) { + char *p; + +- zsfree(*pp); + if (!strcmp(xbuf, "/")) + continue; + if (!*xbuf) + continue; +- p = xbuf + strlen(xbuf); +- while (*--p != '/'); ++ p = xbuf + xbuflen; ++ while (*--p != '/') ++ xbuflen--; + *p = '\0'; + continue; + } + sprintf(xbuf2, "%s/%s", xbuf, *pp); + t0 = readlink(unmeta(xbuf2), xbuf3, PATH_MAX); + if (t0 == -1) { +- strcat(xbuf, "/"); +- strcat(xbuf, *pp); +- zsfree(*pp); ++ zulong pplen = strlen(*pp) + 1; ++ if ((xbuflen += pplen) < sizeof(xbuf)) { ++ strcat(xbuf, "/"); ++ strcat(xbuf, *pp); ++ } else { ++ *xbuf = 0; ++ break; ++ } + } else { + ret = 1; + metafy(xbuf3, t0, META_NOALLOC); +@@ -755,10 +760,9 @@ xsymlinks(char *s) + xsymlinks(xbuf3 + 1); + } else + xsymlinks(xbuf3); +- zsfree(*pp); +- } ++ } + } +- free(opp); ++ freearray(opp); + return ret; + } + +@@ -775,8 +779,10 @@ xsymlink(char *s) + return NULL; + *xbuf = '\0'; + xsymlinks(s + 1); +- if (!*xbuf) ++ if (!*xbuf) { ++ zwarn("path expansion failed, using root directory"); + return ztrdup("/"); ++ } + return ztrdup(xbuf); + } + diff -Nru zsh-4.3.17/debian/patches/CVE-2016-10714.patch zsh-4.3.17/debian/patches/CVE-2016-10714.patch --- zsh-4.3.17/debian/patches/CVE-2016-10714.patch 1970-01-01 05:30:00.000000000 +0530 +++ zsh-4.3.17/debian/patches/CVE-2016-10714.patch 2018-03-05 21:19:34.000000000 +0530 @@ -0,0 +1,216 @@ +Description: Fix CVE-2016-10714 + n zsh before 5.3, an off-by-one error resulted in undersized buffers that were + intended to support PATH_MAX characters. + +Author: Abhijith PA <abhij...@disroot.org> +Origin: https://sourceforge.net/p/zsh/code/ci/a62e1640bcafbb82d86ea8d8ce057a83c4683d60 +Last-Update: 2018-03-05 + +Index: zsh-4.3.17/Src/Zle/compctl.c +=================================================================== +--- zsh-4.3.17.orig/Src/Zle/compctl.c ++++ zsh-4.3.17/Src/Zle/compctl.c +@@ -2136,7 +2136,7 @@ gen_matches_files(int dirs, int execs, i + { + DIR *d; + struct stat buf; +- char *n, p[PATH_MAX], *q = NULL, *e, *pathpref; ++ char *n, p[PATH_MAX+1], *q = NULL, *e, *pathpref; + LinkList l = NULL; + int ns = 0, ng = opts[NULLGLOB], test, aw = addwhat, pathpreflen; + +Index: zsh-4.3.17/Src/builtin.c +=================================================================== +--- zsh-4.3.17.orig/Src/builtin.c ++++ zsh-4.3.17/Src/builtin.c +@@ -936,7 +936,7 @@ cd_do_chdir(char *cnam, char *dest, int + * Normalize path under Cygwin to avoid messing with + * DOS style names with drives in them + */ +- static char buf[PATH_MAX]; ++ static char buf[PATH_MAX+1]; + #ifndef _SYS_CYGWIN_H + void cygwin_conv_to_posix_path(const char *, char *); + #endif +Index: zsh-4.3.17/Src/compat.c +=================================================================== +--- zsh-4.3.17.orig/Src/compat.c ++++ zsh-4.3.17/Src/compat.c +@@ -270,7 +270,7 @@ zgetdir(struct dirsav *d) + int len; + #endif + +- buf = zhalloc(bufsiz = PATH_MAX); ++ buf = zhalloc(bufsiz = PATH_MAX+1); + pos = bufsiz - 1; + buf[pos] = '\0'; + strcpy(nbuf, "../"); +@@ -439,7 +439,7 @@ zgetcwd(void) + free(cwd); + } + #else +- char *cwdbuf = zalloc(PATH_MAX); ++ char *cwdbuf = zalloc(PATH_MAX+1); + ret = getcwd(cwdbuf, PATH_MAX); + if (ret) + ret = dupstring(ret); +Index: zsh-4.3.17/Src/exec.c +=================================================================== +--- zsh-4.3.17.orig/Src/exec.c ++++ zsh-4.3.17/Src/exec.c +@@ -424,7 +424,7 @@ static int + zexecve(char *pth, char **argv, char **newenvp) + { + int eno; +- static char buf[PATH_MAX * 2]; ++ static char buf[PATH_MAX * 2+1]; + char **eep; + + unmetafy(pth, NULL); +@@ -560,7 +560,7 @@ static void + execute(LinkList args, int flags, int defpath) + { + Cmdnam cn; +- char buf[MAXCMDLEN], buf2[MAXCMDLEN]; ++ char buf[MAXCMDLEN+1], buf2[MAXCMDLEN+1]; + char *s, *z, *arg0; + char **argv, **pp, **newenvp = NULL; + int eno = 0, ee; +@@ -641,7 +641,7 @@ execute(LinkList args, int flags, int de + + /* for command -p, search the default path */ + if (defpath) { +- char *s, pbuf[PATH_MAX]; ++ char *s, pbuf[PATH_MAX+1]; + char *dptr, *pe, *ps = DEFAULT_PATH; + + for(;ps;ps = pe ? pe+1 : NULL) { +@@ -678,7 +678,7 @@ execute(LinkList args, int flags, int de + } else { + + if ((cn = (Cmdnam) cmdnamtab->getnode(cmdnamtab, arg0))) { +- char nn[PATH_MAX], *dptr; ++ char nn[PATH_MAX+1], *dptr; + + if (cn->node.flags & HASHED) + strcpy(nn, cn->u.cmd); +@@ -763,7 +763,7 @@ findcmd(char *arg0, int docopy) + break; + } + if (cn) { +- char nn[PATH_MAX]; ++ char nn[PATH_MAX+1]; + + if (cn->node.flags & HASHED) + strcpy(nn, cn->u.cmd); +@@ -844,7 +844,7 @@ mod_export Cmdnam + hashcmd(char *arg0, char **pp) + { + Cmdnam cn; +- char *s, buf[PATH_MAX]; ++ char *s, buf[PATH_MAX+1]; + char **pq; + + for (; *pp; pp++) +@@ -4729,7 +4729,7 @@ runshfunc(Eprog prog, FuncWrap wrap, cha + Eprog + getfpfunc(char *s, int *ksh, char **fname) + { +- char **pp, buf[PATH_MAX]; ++ char **pp, buf[PATH_MAX+1]; + off_t len; + off_t rlen; + char *d; +@@ -4857,7 +4857,7 @@ cancd(char *s) + char *t; + + if (*s != '/') { +- char sbuf[PATH_MAX], **cp; ++ char sbuf[PATH_MAX+1], **cp; + + if (cancd2(s)) + return s; +Index: zsh-4.3.17/Src/glob.c +=================================================================== +--- zsh-4.3.17.orig/Src/glob.c ++++ zsh-4.3.17/Src/glob.c +@@ -267,7 +267,7 @@ addpath(char *s, int l) + static int + statfullpath(const char *s, struct stat *st, int l) + { +- char buf[PATH_MAX]; ++ char buf[PATH_MAX+1]; + + DPUTS(strlen(s) + !*s + pathpos - pathbufcwd >= PATH_MAX, + "BUG: statfullpath(): pathname too long"); +@@ -771,7 +771,7 @@ parsepat(char *str) + + /* Now there is no (#X) in front, we can check the path. */ + if (!pathbuf) +- pathbuf = zalloc(pathbufsz = PATH_MAX); ++ pathbuf = zalloc(pathbufsz = PATH_MAX+1); + DPUTS(pathbufcwd, "BUG: glob changed directory"); + if (*str == '/') { /* pattern has absolute path */ + str++; +Index: zsh-4.3.17/Src/hist.c +=================================================================== +--- zsh-4.3.17.orig/Src/hist.c ++++ zsh-4.3.17/Src/hist.c +@@ -1621,7 +1621,7 @@ chrealpath(char **junkptr) + char *lastpos, *nonreal, *real; + #else + # ifdef HAVE_REALPATH +- char *lastpos, *nonreal, real[PATH_MAX]; ++ char *lastpos, *nonreal, real[PATH_MAX+1]; + # endif + #endif + +Index: zsh-4.3.17/Src/utils.c +=================================================================== +--- zsh-4.3.17.orig/Src/utils.c ++++ zsh-4.3.17/Src/utils.c +@@ -679,7 +679,7 @@ ispwd(char *s) + return 0; + } + +-static char xbuf[PATH_MAX*2]; ++static char xbuf[PATH_MAX*2+1]; + + /**/ + static char ** +@@ -719,7 +719,7 @@ static int + xsymlinks(char *s) + { + char **pp, **opp; +- char xbuf2[PATH_MAX*2], xbuf3[PATH_MAX*2]; ++ char xbuf2[PATH_MAX*2+1], xbuf3[PATH_MAX*2+1]; + int t0, ret = 0; + zulong xbuflen = strlen(xbuf); + +@@ -913,7 +913,7 @@ finddir(char *s) + if(homenode.diff==1) + homenode.diff = 0; + if(!finddir_full) +- finddir_full = zalloc(ffsz = PATH_MAX); ++ finddir_full = zalloc(ffsz = PATH_MAX+1); + finddir_full[0] = 0; + return finddir_last = NULL; + } +@@ -1401,7 +1401,7 @@ checkmailpath(char **s) + } else if (S_ISDIR(st.st_mode)) { + LinkList l; + DIR *lock = opendir(unmeta(*s)); +- char buf[PATH_MAX * 2], **arr, **ap; ++ char buf[PATH_MAX * 2 + 1], **arr, **ap; + int ct = 1; + + if (lock) { +@@ -5774,7 +5774,7 @@ strsfx(char *s, char *t) + static int + upchdir(int n) + { +- char buf[PATH_MAX]; ++ char buf[PATH_MAX+1]; + char *s; + int err = -1; + diff -Nru zsh-4.3.17/debian/patches/CVE-2017-18206.patch zsh-4.3.17/debian/patches/CVE-2017-18206.patch --- zsh-4.3.17/debian/patches/CVE-2017-18206.patch 1970-01-01 05:30:00.000000000 +0530 +++ zsh-4.3.17/debian/patches/CVE-2017-18206.patch 2018-03-05 21:20:03.000000000 +0530 @@ -0,0 +1,39 @@ +Description: Fix CVE-2017-18206 + In utils.c in zsh before 5.4, symlink expansion had a buffer overflow. + +Author: Abhijith PA <abhij...@disroot.org> +Origin: https://sourceforge.net/p/zsh/code/ci/c7a9cf465dd620ef48d586026944d9bd7a0d5d6d +Last-Update: 2018-03-05 + +--- zsh-4.3.17.orig/Src/utils.c ++++ zsh-4.3.17/Src/utils.c +@@ -721,7 +721,7 @@ xsymlinks(char *s) + char **pp, **opp; + char xbuf2[PATH_MAX*2+1], xbuf3[PATH_MAX*2+1]; + int t0, ret = 0; +- zulong xbuflen = strlen(xbuf); ++ zulong xbuflen = strlen(xbuf), pplen; + + opp = pp = slashsplit(s); + for (; xbuflen < sizeof(xbuf) && *pp; pp++) { +@@ -741,10 +741,18 @@ xsymlinks(char *s) + *p = '\0'; + continue; + } +- sprintf(xbuf2, "%s/%s", xbuf, *pp); ++ /* Includes null byte. */ ++ pplen = strlen(*pp) + 1; ++ if (xbuflen + pplen + 1 > sizeof(xbuf2)) { ++ *xbuf = 0; ++ ret = -1; ++ break; ++ } ++ memcpy(xbuf2, xbuf, xbuflen); ++ xbuf2[xbuflen] = '/'; ++ memcpy(xbuf2 + xbuflen + 1, *pp, pplen); + t0 = readlink(unmeta(xbuf2), xbuf3, PATH_MAX); + if (t0 == -1) { +- zulong pplen = strlen(*pp) + 1; + if ((xbuflen += pplen) < sizeof(xbuf)) { + strcat(xbuf, "/"); + strcat(xbuf, *pp); diff -Nru zsh-4.3.17/debian/patches/series zsh-4.3.17/debian/patches/series --- zsh-4.3.17/debian/patches/series 2012-02-28 04:21:40.000000000 +0530 +++ zsh-4.3.17/debian/patches/series 2018-03-05 21:20:28.000000000 +0530 @@ -1,2 +1,7 @@ deb_0000_at_configure.diff deb_0001_at_config_h_in.diff +CVE-2014-10070.patch +CVE-2014-10071.patch +CVE-2014-10072.patch +CVE-2016-10714.patch +CVE-2017-18206.patch
