SUSE-SU-2018:1072-1
- Source
- https://www.suse.com/support/update/announcement/2018/suse-su-20181072-1/
- Import Source
- https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2018:1072-1.json
- JSON Data
- https://api.osv.dev/v1/vulns/SUSE-SU-2018:1072-1
- Related
- Published
- 2018-04-25T12:15:43Z
- Modified
- 2018-04-25T12:15:43Z
- Summary
- Security update for zsh
- Details
-
This update for zsh fixes the following issues:
CVE-2014-10070: environment variable injection could lead to local privilege escalation (bnc#1082885)
CVE-2014-10071: buffer overflow in exec.c could lead to denial of service. (bnc#1082977)
CVE-2014-10072: buffer overflow In utils.c when scanning very long directory paths for symbolic links. (bnc#1082975)
CVE-2016-10714: In zsh before 5.3, an off-by-one error resulted in undersized buffers that were intended to support PATH_MAX characters. (bnc#1083250)
CVE-2017-18205: In builtin.c when sh compatibility mode is used, a NULL pointer dereference could lead to denial of service (bnc#1082998)
CVE-2018-1071: exec.c:hashcmd() function vulnerability could lead to denial of service. (bnc#1084656)
CVE-2018-1083: Autocomplete vulnerability could lead to privilege escalation. (bnc#1087026)
CVE-2018-7549: In params.c in zsh through 5.4.2, there is a crash during a copy of an empty hash table, as demonstrated by typeset -p. (bnc#1082991)
CVE-2017-18206: buffer overrun in xsymlinks could lead to denial of service (bnc#1083002)
Autocomplete and REPORTTIME broken (bsc#896914)
- References
-
- https://www.suse.com/support/update/announcement/2018/suse-su-20181072-1/
- https://bugzilla.suse.com/1082885
- https://bugzilla.suse.com/1082975
- https://bugzilla.suse.com/1082977
- https://bugzilla.suse.com/1082991
- https://bugzilla.suse.com/1082998
- https://bugzilla.suse.com/1083002
- https://bugzilla.suse.com/1083250
- https://bugzilla.suse.com/1084656
- https://bugzilla.suse.com/1087026
- https://bugzilla.suse.com/896914
- https://www.suse.com/security/cve/CVE-2014-10070
- https://www.suse.com/security/cve/CVE-2014-10071
- https://www.suse.com/security/cve/CVE-2014-10072
- https://www.suse.com/security/cve/CVE-2016-10714
- https://www.suse.com/security/cve/CVE-2017-18205
- https://www.suse.com/security/cve/CVE-2017-18206
- https://www.suse.com/security/cve/CVE-2018-1071
- https://www.suse.com/security/cve/CVE-2018-1083
- https://www.suse.com/security/cve/CVE-2018-7549
Affected packages
SUSE:Linux Enterprise Desktop 12 SP3 / zsh
Package
- Name
- zsh
- Purl
- pkg:rpm/suse/zsh&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3
SUSE:Linux Enterprise Server 12 SP3 / zsh
Package
- Name
- zsh
- Purl
- pkg:rpm/suse/zsh&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3