diff options
| author | V3n3RiX <venerix@redcorelinux.org> | 2019-03-19 11:37:34 +0000 |
|---|---|---|
| committer | V3n3RiX <venerix@redcorelinux.org> | 2019-03-19 11:37:34 +0000 |
| commit | b7b97785ebbb2f11d24d14dab8b81ed274f4ce6a (patch) | |
| tree | 9fd110f9fc996e8a4213eeda994a8c112491b86d /metadata/glsa/glsa-201903-02.xml | |
| parent | 066d27181e9a797ad9f8fc43b49fc9a10ff2f707 (diff) | |
gentoo resync : 19.03.2019
Diffstat (limited to 'metadata/glsa/glsa-201903-02.xml')
| -rw-r--r-- | metadata/glsa/glsa-201903-02.xml | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/metadata/glsa/glsa-201903-02.xml b/metadata/glsa/glsa-201903-02.xml new file mode 100644 index 000000000000..11ae0246fe90 --- /dev/null +++ b/metadata/glsa/glsa-201903-02.xml @@ -0,0 +1,62 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201903-02"> + <title>Zsh: User-assisted execution of arbitrary code</title> + <synopsis>Input validation errors in Zsh could result in arbitrary code + execution. + </synopsis> + <product type="ebuild">zsh</product> + <announced>2019-03-10</announced> + <revised count="1">2019-03-10</revised> + <bug>665278</bug> + <access>local, remote</access> + <affected> + <package name="app-shells/zsh" auto="yes" arch="*"> + <unaffected range="ge">5.6</unaffected> + <vulnerable range="lt">5.6</vulnerable> + </package> + </affected> + <background> + <p>A shell designed for interactive use, although it is also a powerful + scripting language. + </p> + </background> + <description> + <p>Two input validation errors have been discovered in how Zsh parses + scripts: + </p> + + <ul> + <li>Parsing a malformed shebang line could cause Zsh to call a program + listed in the second line (CVE-2018-0502) + </li> + <li>Shebang lines longer than 64 characters are truncated + (CVE-2018-13259) + </li> + </ul> + </description> + <impact type="normal"> + <p>An attacker could entice a user to execute a specially crafted script + using Zsh, possibly resulting in execution of arbitrary code with the + privileges of the process. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Zsh users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-shells/zsh-5.6" + </code> + + </resolution> + <references> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-0502">CVE-2018-0502</uri> + <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-13259">CVE-2018-13259</uri> + </references> + <metadata tag="requester" timestamp="2018-12-31T07:32:39Z">Zlogene</metadata> + <metadata tag="submitter" timestamp="2019-03-10T02:21:31Z">ackle</metadata> +</glsa> |