From c17b242f777aed92f3fea6ca8dc6b0fec9b21200 Mon Sep 17 00:00:00 2001 From: spz Date: Fri, 30 Mar 2018 20:56:42 +0000 Subject: add security patches for CVE-2018-1071, CVE-2018-1083, CVE-2018-7548 and CVE-2018-7549 from the zsh repo. one pullup less, w00t. :-P --- shells/zsh/Makefile | 3 ++- shells/zsh/distinfo | 6 +++++- shells/zsh/patches/patch-CVE-2018-1071 | 32 ++++++++++++++++++++++++++++++++ shells/zsh/patches/patch-CVE-2018-1083 | 34 ++++++++++++++++++++++++++++++++++ shells/zsh/patches/patch-CVE-2018-7548 | 16 ++++++++++++++++ shells/zsh/patches/patch-CVE-2018-7549 | 25 +++++++++++++++++++++++++ 6 files changed, 114 insertions(+), 2 deletions(-) create mode 100644 shells/zsh/patches/patch-CVE-2018-1071 create mode 100644 shells/zsh/patches/patch-CVE-2018-1083 create mode 100644 shells/zsh/patches/patch-CVE-2018-7548 create mode 100644 shells/zsh/patches/patch-CVE-2018-7549 (limited to 'shells') diff --git a/shells/zsh/Makefile b/shells/zsh/Makefile index bd1742fe17a..fc9a36f1a8c 100644 --- a/shells/zsh/Makefile +++ b/shells/zsh/Makefile @@ -1,6 +1,7 @@ -# $NetBSD: Makefile,v 1.82 2017/12/12 23:57:29 minskim Exp $ +# $NetBSD: Makefile,v 1.83 2018/03/30 20:56:42 spz Exp $ DISTNAME= zsh-5.4.2 +PKGREVISION= 1 CATEGORIES= shells MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=zsh/} EXTRACT_SUFX= .tar.xz diff --git a/shells/zsh/distinfo b/shells/zsh/distinfo index 832d7ebe6c0..1a9fc7835da 100644 --- a/shells/zsh/distinfo +++ b/shells/zsh/distinfo @@ -1,8 +1,12 @@ -$NetBSD: distinfo,v 1.60 2017/10/13 09:35:19 jperkin Exp $ +$NetBSD: distinfo,v 1.61 2018/03/30 20:56:42 spz Exp $ SHA1 (zsh-5.4.2.tar.xz) = f6f8e699b956c8881444e597b1fc5af41fef456b RMD160 (zsh-5.4.2.tar.xz) = 9cc8888760c06757332daa6dfbba4c5235474b5d SHA512 (zsh-5.4.2.tar.xz) = 7825e4101905b6bfbd14f00b2f94f512ced5b9820a4f7b24409d266ad2c3c25144edf6aa2629317394055c51312ba57bb01e20c26e2ced1aeb0be0ff1a4d3fbb Size (zsh-5.4.2.tar.xz) = 2983492 bytes +SHA1 (patch-CVE-2018-1071) = 0aa14d3ee127d34ee841f6a3749f5572bfdb3114 +SHA1 (patch-CVE-2018-1083) = 09d6188d1f4e2efc72dfb2a75571a7f1c857a2a7 +SHA1 (patch-CVE-2018-7548) = 85a4aa35c30690908ecb70772cc2553a91c3545c +SHA1 (patch-CVE-2018-7549) = f94df77c2fe5563af6b88727c04c43d74771105e SHA1 (patch-aczsh.m4) = 36c270d8d7cf727f48787ef889b2bd89cbf065e2 SHA1 (patch-configure.ac) = 87ae3604e09948cd7b360f08031ef9c3f91f0aae diff --git a/shells/zsh/patches/patch-CVE-2018-1071 b/shells/zsh/patches/patch-CVE-2018-1071 new file mode 100644 index 00000000000..867d46878da --- /dev/null +++ b/shells/zsh/patches/patch-CVE-2018-1071 @@ -0,0 +1,32 @@ +$NetBSD: patch-CVE-2018-1071,v 1.1 2018/03/30 20:56:42 spz Exp $ + +patch for CVE-2018-1071 from +https://sourceforge.net/p/zsh/code/ci/679b71ec4d852037fe5f73d35bf557b0f406c8d4/ + +--- Src/exec.c.orig 2017-08-27 19:28:43.000000000 +0000 ++++ Src/exec.c 2018-03-30 20:10:46.000000000 +0000 +@@ -920,7 +920,7 @@ + for (; *pp; pp++) + if (**pp == '/') { + s = buf; +- strucpy(&s, *pp); ++ struncpy(&s, *pp, PATH_MAX); + *s++ = '/'; + if ((s - buf) + strlen(arg0) >= PATH_MAX) + continue; +--- Src/utils.c.orig 2017-08-08 18:02:32.000000000 +0000 ++++ Src/utils.c 2018-03-30 20:13:16.000000000 +0000 +@@ -2283,10 +2283,10 @@ + { + char *u = *s; + +- while (n--) +- *u++ = *t++; ++ while (n-- && (*u++ = *t++)); + *s = u; +- *u = '\0'; ++ if (n > 0) /* just one null-byte will do, unlike strncpy(3) */ ++ *u = '\0'; + } + + /* Return the number of elements in an array of pointers. * diff --git a/shells/zsh/patches/patch-CVE-2018-1083 b/shells/zsh/patches/patch-CVE-2018-1083 new file mode 100644 index 00000000000..04ea16b9c71 --- /dev/null +++ b/shells/zsh/patches/patch-CVE-2018-1083 @@ -0,0 +1,34 @@ +$NetBSD: patch-CVE-2018-1083,v 1.1 2018/03/30 20:56:42 spz Exp $ + +patch for CVE-2018-1083 from +https://sourceforge.net/p/zsh/code/ci/259ac472eac291c8c103c7a0d8a4eaf3c2942ed7 + +--- Src/Zle/compctl.c.orig 2017-06-30 20:36:55.000000000 +0000 ++++ Src/Zle/compctl.c 2018-03-30 20:07:25.000000000 +0000 +@@ -2176,6 +2176,8 @@ + if (prpre && *prpre) { + pathpref = dupstring(prpre); + unmetafy(pathpref, &pathpreflen); ++ if (pathpreflen > PATH_MAX) ++ return; + /* system needs NULL termination, not provided by unmetafy */ + pathpref[pathpreflen] = '\0'; + } else { +@@ -2218,6 +2220,8 @@ + * the path buffer by appending the filename. */ + ums = dupstring(n); + unmetafy(ums, ¨en); ++ if (umlen + pathpreflen + 1 > PATH_MAX) ++ continue; + memcpy(q, ums, umlen); + q[umlen] = '\0'; + /* And do the stat. */ +@@ -2232,6 +2236,8 @@ + /* We have to test for a path suffix. */ + int o = strlen(p), tt; + ++ if (o + strlen(psuf) > PATH_MAX) ++ continue; + /* Append it to the path buffer. */ + strcpy(p + o, psuf); + diff --git a/shells/zsh/patches/patch-CVE-2018-7548 b/shells/zsh/patches/patch-CVE-2018-7548 new file mode 100644 index 00000000000..c362bd3fce2 --- /dev/null +++ b/shells/zsh/patches/patch-CVE-2018-7548 @@ -0,0 +1,16 @@ +$NetBSD: patch-CVE-2018-7548,v 1.1 2018/03/30 20:56:42 spz Exp $ + +patch for CVE-2018-7548 from +https://sourceforge.net/p/zsh/code/ci/110b13e1090bc31ac1352b28adc2d02b6d25a102 + +--- Src/subst.c.orig 2017-04-04 17:51:28.000000000 +0000 ++++ Src/subst.c 2018-03-30 19:48:41.000000000 +0000 +@@ -2340,7 +2340,7 @@ + val = aval[0]; + isarr = 0; + } +- s = dyncat(val, s); ++ s = val ? dyncat(val, s) : dupstring(s); + /* Now behave po-faced as if it was always like that... */ + subexp = 0; + /* diff --git a/shells/zsh/patches/patch-CVE-2018-7549 b/shells/zsh/patches/patch-CVE-2018-7549 new file mode 100644 index 00000000000..9fb62c4a1d5 --- /dev/null +++ b/shells/zsh/patches/patch-CVE-2018-7549 @@ -0,0 +1,25 @@ +$NetBSD: patch-CVE-2018-7549,v 1.1 2018/03/30 20:56:42 spz Exp $ + +fix for CVE-2018-7549 from +https://sourceforge.net/p/zsh/code/ci/c2cc8b0fbefc9868fa83537f5b6d90fc1ec438dd + +--- Src/params.c.orig 2017-06-11 19:34:06.000000000 +0000 ++++ Src/params.c 2018-03-30 19:57:36.000000000 +0000 +@@ -535,10 +535,13 @@ + HashTable + copyparamtable(HashTable ht, char *name) + { +- HashTable nht = newparamtable(ht->hsize, name); +- outtable = nht; +- scanhashtable(ht, 0, 0, 0, scancopyparams, 0); +- outtable = NULL; ++ HashTable nht = 0; ++ if (ht) { ++ nht = newparamtable(ht->hsize, name); ++ outtable = nht; ++ scanhashtable(ht, 0, 0, 0, scancopyparams, 0); ++ outtable = NULL; ++ } + return nht; + } + -- cgit v1.2.3