add security patches for CVE-2018-1071, CVE-2018-1083, CVE-2018-7548

and CVE-2018-7549 from the zsh repo. one pullup less, w00t. :-P

6 files changed, 114 insertions, 2 deletions

diff --git a/shells/zsh/Makefile b/shells/zsh/Makefile
index bd1742fe17a..fc9a36f1a8c 100644
--- a/shells/zsh/Makefile
+++ b/shells/zsh/Makefile
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.82 2017/12/12 23:57:29 minskim Exp $
+# $NetBSD: Makefile,v 1.83 2018/03/30 20:56:42 spz Exp $
 
 DISTNAME=	zsh-5.4.2
+PKGREVISION=	1
 CATEGORIES=	shells
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=zsh/}
 EXTRACT_SUFX=	.tar.xz
diff --git a/shells/zsh/distinfo b/shells/zsh/distinfo
index 832d7ebe6c0..1a9fc7835da 100644
--- a/shells/zsh/distinfo
+++ b/shells/zsh/distinfo
@@ -1,8 +1,12 @@
-$NetBSD: distinfo,v 1.60 2017/10/13 09:35:19 jperkin Exp $
+$NetBSD: distinfo,v 1.61 2018/03/30 20:56:42 spz Exp $
 
 SHA1 (zsh-5.4.2.tar.xz) = f6f8e699b956c8881444e597b1fc5af41fef456b
 RMD160 (zsh-5.4.2.tar.xz) = 9cc8888760c06757332daa6dfbba4c5235474b5d
 SHA512 (zsh-5.4.2.tar.xz) = 7825e4101905b6bfbd14f00b2f94f512ced5b9820a4f7b24409d266ad2c3c25144edf6aa2629317394055c51312ba57bb01e20c26e2ced1aeb0be0ff1a4d3fbb
 Size (zsh-5.4.2.tar.xz) = 2983492 bytes
+SHA1 (patch-CVE-2018-1071) = 0aa14d3ee127d34ee841f6a3749f5572bfdb3114
+SHA1 (patch-CVE-2018-1083) = 09d6188d1f4e2efc72dfb2a75571a7f1c857a2a7
+SHA1 (patch-CVE-2018-7548) = 85a4aa35c30690908ecb70772cc2553a91c3545c
+SHA1 (patch-CVE-2018-7549) = f94df77c2fe5563af6b88727c04c43d74771105e
 SHA1 (patch-aczsh.m4) = 36c270d8d7cf727f48787ef889b2bd89cbf065e2
 SHA1 (patch-configure.ac) = 87ae3604e09948cd7b360f08031ef9c3f91f0aae
diff --git a/shells/zsh/patches/patch-CVE-2018-1071 b/shells/zsh/patches/patch-CVE-2018-1071
new file mode 100644
index 00000000000..867d46878da
--- /dev/null
+++ b/shells/zsh/patches/patch-CVE-2018-1071
@@ -0,0 +1,32 @@
+$NetBSD: patch-CVE-2018-1071,v 1.1 2018/03/30 20:56:42 spz Exp $
+
+patch for CVE-2018-1071 from
+https://sourceforge.net/p/zsh/code/ci/679b71ec4d852037fe5f73d35bf557b0f406c8d4/
+
+--- Src/exec.c.orig	2017-08-27 19:28:43.000000000 +0000
++++ Src/exec.c	2018-03-30 20:10:46.000000000 +0000
+@@ -920,7 +920,7 @@
+     for (; *pp; pp++)
+ 	if (**pp == '/') {
+ 	    s = buf;
+-	    strucpy(&s, *pp);
++	    struncpy(&s, *pp, PATH_MAX);
+ 	    *s++ = '/';
+ 	    if ((s - buf) + strlen(arg0) >= PATH_MAX)
+ 		continue;
+--- Src/utils.c.orig	2017-08-08 18:02:32.000000000 +0000
++++ Src/utils.c	2018-03-30 20:13:16.000000000 +0000
+@@ -2283,10 +2283,10 @@
+ {
+     char *u = *s;
+ 
+-    while (n--)
+-	*u++ = *t++;
++    while (n-- && (*u++ = *t++));
+     *s = u;
+-    *u = '\0';
++    if (n > 0) /* just one null-byte will do, unlike strncpy(3) */
++        *u = '\0';
+ }
+ 
+ /* Return the number of elements in an array of pointers. *
diff --git a/shells/zsh/patches/patch-CVE-2018-1083 b/shells/zsh/patches/patch-CVE-2018-1083
new file mode 100644
index 00000000000..04ea16b9c71
--- /dev/null
+++ b/shells/zsh/patches/patch-CVE-2018-1083
@@ -0,0 +1,34 @@
+$NetBSD: patch-CVE-2018-1083,v 1.1 2018/03/30 20:56:42 spz Exp $
+
+patch for CVE-2018-1083 from
+https://sourceforge.net/p/zsh/code/ci/259ac472eac291c8c103c7a0d8a4eaf3c2942ed7
+
+--- Src/Zle/compctl.c.orig	2017-06-30 20:36:55.000000000 +0000
++++ Src/Zle/compctl.c	2018-03-30 20:07:25.000000000 +0000
+@@ -2176,6 +2176,8 @@
+     if (prpre && *prpre) {
+ 	pathpref = dupstring(prpre);
+ 	unmetafy(pathpref, &pathpreflen);
++	if (pathpreflen > PATH_MAX)
++	    return;
+ 	/* system needs NULL termination, not provided by unmetafy */
+ 	pathpref[pathpreflen] = '\0';
+     } else {
+@@ -2218,6 +2220,8 @@
+ 		     * the path buffer by appending the filename.       */
+ 		    ums = dupstring(n);
+ 		    unmetafy(ums, &umlen);
++		    if (umlen + pathpreflen + 1 > PATH_MAX)
++			continue;
+ 		    memcpy(q, ums, umlen);
+ 		    q[umlen] = '\0';
+ 		    /* And do the stat. */
+@@ -2232,6 +2236,8 @@
+ 			/* We have to test for a path suffix. */
+ 			int o = strlen(p), tt;
+ 
++			if (o + strlen(psuf) > PATH_MAX)
++			    continue;
+ 			/* Append it to the path buffer. */
+ 			strcpy(p + o, psuf);
+ 
diff --git a/shells/zsh/patches/patch-CVE-2018-7548 b/shells/zsh/patches/patch-CVE-2018-7548
new file mode 100644
index 00000000000..c362bd3fce2
--- /dev/null
+++ b/shells/zsh/patches/patch-CVE-2018-7548
@@ -0,0 +1,16 @@
+$NetBSD: patch-CVE-2018-7548,v 1.1 2018/03/30 20:56:42 spz Exp $
+
+patch for CVE-2018-7548 from
+https://sourceforge.net/p/zsh/code/ci/110b13e1090bc31ac1352b28adc2d02b6d25a102
+
+--- Src/subst.c.orig	2017-04-04 17:51:28.000000000 +0000
++++ Src/subst.c	2018-03-30 19:48:41.000000000 +0000
+@@ -2340,7 +2340,7 @@
+ 		val = aval[0];
+ 		isarr = 0;
+ 	    }
+-	    s = dyncat(val, s);
++	    s = val ? dyncat(val, s) : dupstring(s);
+ 	    /* Now behave po-faced as if it was always like that... */
+ 	    subexp = 0;
+ 	    /*
diff --git a/shells/zsh/patches/patch-CVE-2018-7549 b/shells/zsh/patches/patch-CVE-2018-7549
new file mode 100644
index 00000000000..9fb62c4a1d5
--- /dev/null
+++ b/shells/zsh/patches/patch-CVE-2018-7549
@@ -0,0 +1,25 @@
+$NetBSD: patch-CVE-2018-7549,v 1.1 2018/03/30 20:56:42 spz Exp $
+
+fix for CVE-2018-7549 from
+https://sourceforge.net/p/zsh/code/ci/c2cc8b0fbefc9868fa83537f5b6d90fc1ec438dd
+
+--- Src/params.c.orig	2017-06-11 19:34:06.000000000 +0000
++++ Src/params.c	2018-03-30 19:57:36.000000000 +0000
+@@ -535,10 +535,13 @@
+ HashTable
+ copyparamtable(HashTable ht, char *name)
+ {
+-    HashTable nht = newparamtable(ht->hsize, name);
+-    outtable = nht;
+-    scanhashtable(ht, 0, 0, 0, scancopyparams, 0);
+-    outtable = NULL;
++    HashTable nht = 0;
++    if (ht) {
++        nht = newparamtable(ht->hsize, name);
++        outtable = nht;
++        scanhashtable(ht, 0, 0, 0, scancopyparams, 0);
++        outtable = NULL;
++    }
+     return nht;
+ }
+