Bug 1563395 (CVE-2018-1100)

Summary: CVE-2018-1100 zsh: buffer overflow in utils.c:checkmailpath() can lead to local arbitrary code execution
Product: [Other] Security Response Reporter: Richard Maciel Costa <rcosta>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: dmaphy, james.antill, kdudka, psampaio, rcosta, security-response-team, svashisht, tibbs
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A buffer overflow flaw was found in the zsh shell check path functionality. A local, unprivileged user can create a specially crafted message file, which, if used to set a custom "you have new mail" message, leads to code execution in the context of the user who receives the message. If the user affected is privileged, this leads to privilege escalation.
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-09-19 18:32:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1563396, 1563397, 1563402, 1563403, 1563404    
Bug Blocks: 1563387    

Description Richard Maciel Costa 2018-04-03 20:27:51 UTC
zsh through version 5.4.2 is vulnerable to a stack-based buffer overflow in the utils.c:checkmailpath function. A local attacker could exploit this to execute arbitrary code in the context of another user.

Comment 1 Richard Maciel Costa 2018-04-03 20:28:04 UTC
Acknowledgments:

Name: Richard Maciel Costa (Red Hat)

Comment 2 Richard Maciel Costa 2018-04-03 20:28:36 UTC
Created zsh tracking bugs for this issue:

Affects: fedora-all [bug 1563396]

Comment 6 Richard Maciel Costa 2018-04-03 20:58:34 UTC
*** Bug 1563394 has been marked as a duplicate of this bug. ***

Comment 9 Richard Maciel Costa 2018-04-10 18:11:16 UTC
Fixed by upstream patch:
https://sourceforge.net/p/zsh/code/ci/31f72205630687c1cef89347863aab355296a27f/

Comment 10 errata-xmlrpc 2018-06-19 04:56:29 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:1932 https://access.redhat.com/errata/RHSA-2018:1932

Comment 11 errata-xmlrpc 2018-10-30 07:30:29 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3073 https://access.redhat.com/errata/RHSA-2018:3073