Bug 1563395 (CVE-2018-1100) - CVE-2018-1100 zsh: buffer overflow in utils.c:checkmailpath() can lead to local arbitrary code execution
Summary: CVE-2018-1100 zsh: buffer overflow in utils.c:checkmailpath() can lead to loc...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-1100
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 1563394 (view as bug list)
Depends On: 1563396 1563397 1563402 1563403 1563404
Blocks: 1563387
TreeView+ depends on / blocked
 
Reported: 2018-04-03 20:27 UTC by Richard Maciel Costa
Modified: 2019-09-29 14:35 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A buffer overflow flaw was found in the zsh shell check path functionality. A local, unprivileged user can create a specially crafted message file, which, if used to set a custom "you have new mail" message, leads to code execution in the context of the user who receives the message. If the user affected is privileged, this leads to privilege escalation.
Clone Of:
Environment:
Last Closed: 2018-09-19 18:32:54 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:1932 None None None 2018-06-19 04:56:35 UTC
Red Hat Product Errata RHSA-2018:3073 None None None 2018-10-30 07:30:35 UTC

Description Richard Maciel Costa 2018-04-03 20:27:51 UTC
zsh through version 5.4.2 is vulnerable to a stack-based buffer overflow in the utils.c:checkmailpath function. A local attacker could exploit this to execute arbitrary code in the context of another user.

Comment 1 Richard Maciel Costa 2018-04-03 20:28:04 UTC
Acknowledgments:

Name: Richard Maciel Costa (Red Hat)

Comment 2 Richard Maciel Costa 2018-04-03 20:28:36 UTC
Created zsh tracking bugs for this issue:

Affects: fedora-all [bug 1563396]

Comment 6 Richard Maciel Costa 2018-04-03 20:58:34 UTC
*** Bug 1563394 has been marked as a duplicate of this bug. ***

Comment 9 Richard Maciel Costa 2018-04-10 18:11:16 UTC
Fixed by upstream patch:
https://sourceforge.net/p/zsh/code/ci/31f72205630687c1cef89347863aab355296a27f/

Comment 10 errata-xmlrpc 2018-06-19 04:56:29 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:1932 https://access.redhat.com/errata/RHSA-2018:1932

Comment 11 errata-xmlrpc 2018-10-30 07:30:29 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3073 https://access.redhat.com/errata/RHSA-2018:3073


Note You need to log in before you can comment on or make changes to this bug.