Bug 1557382 (CVE-2018-1083)

Summary: CVE-2018-1083 zsh: Stack-based buffer overflow in gen_matches_files() at compctl.c
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dmaphy, james.antill, j, kdudka, rcosta, security-response-team, svashisht
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: zsh 5.5 Doc Type: If docs needed, set a value
Doc Text:
A buffer overflow flaw was found in the zsh shell auto-complete functionality. A local, unprivileged user can create a specially crafted directory path which leads to code execution in the context of the user who tries to use auto-complete to traverse the before mentioned path. If the user affected is privileged, this leads to privilege escalation.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:17:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1560696, 1560697, 1560700, 1560701, 1560702    
Bug Blocks: 1557385    

Description Pedro Sampaio 2018-03-16 14:01:25 UTC 
zsh is vulnerable to a stack-based buffer overflow in the gen_matches_files() function. A local attacker could exploit this through tab completion of directories with long names leading to arbitrary code execution.
Comment 8 Sam Fowler 2018-03-26 02:53:27 UTC 
Upstream Patch:

https://sourceforge.net/p/zsh/code/ci/259ac472eac291c8c103c7a0d8a4eaf3c2942ed7
Comment 9 Richard Maciel Costa 2018-03-26 19:10:55 UTC 
Created zsh tracking bugs for this issue:

Affects: fedora-all [bug 1560696]
Comment 12 Richard Maciel Costa 2018-05-25 13:13:45 UTC 
Acknowledgments:

Name: Richard Maciel Costa (Red Hat)
Comment 13 errata-xmlrpc 2018-06-19 04:56:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:1932 https://access.redhat.com/errata/RHSA-2018:1932
Comment 14 errata-xmlrpc 2018-10-30 07:30:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3073 https://access.redhat.com/errata/RHSA-2018:3073