Bug 1563395 – CVE-2018-1100 zsh: buffer overflow in utils.c:checkmailpath() can lead to local arbitrary code execution

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1563395 - (CVE-2018-1100) CVE-2018-1100 zsh: buffer overflow in utils.c:checkmailpath() can lead to local arbitrary code execution

Summary:	CVE-2018-1100 zsh: buffer overflow in utils.c:checkmailpath() can lead to loc...

Status:	CLOSED ERRATA

Aliases:	CVE-2018-1100

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=low,public=20180407,reported=2...
Keywords:	Security

Duplicates:	1563394 (view as bug list)
Depends On:	1563396 1563397 1563402 1563403 1563404
Blocks:	1563387
	Show dependency tree / graph

Reported:	2018-04-03 16:27 EDT by Richard Maciel Costa
Modified:	2018-10-30 03:30 EDT (History)
CC List:	8 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A buffer overflow flaw was found in the zsh shell check path functionality. A local, unprivileged user can create a specially crafted message file, which, if used to set a custom "you have new mail" message, leads to code execution in the context of the user who receives the message. If the user affected is privileged, this leads to privilege escalation.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2018-09-19 14:32:54 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2018:1932	None	None	None	2018-06-19 00:56 EDT
Red Hat Product Errata	RHSA-2018:3073	None	None	None	2018-10-30 03:30 EDT

Groups: None (edit)

Description Richard Maciel Costa 2018-04-03 16:27:51 EDT

zsh through version 5.4.2 is vulnerable to a stack-based buffer overflow in the utils.c:checkmailpath function. A local attacker could exploit this to execute arbitrary code in the context of another user.

Comment 1 Richard Maciel Costa 2018-04-03 16:28:04 EDT

Acknowledgments:

Name: Richard Maciel Costa (Red Hat)

Comment 2 Richard Maciel Costa 2018-04-03 16:28:36 EDT

Created zsh tracking bugs for this issue:

Affects: fedora-all [bug 1563396]

Comment 6 Richard Maciel Costa 2018-04-03 16:58:34 EDT

*** Bug 1563394 has been marked as a duplicate of this bug. ***

Comment 9 Richard Maciel Costa 2018-04-10 14:11:16 EDT

Fixed by upstream patch:
https://sourceforge.net/p/zsh/code/ci/31f72205630687c1cef89347863aab355296a27f/

Comment 10 errata-xmlrpc 2018-06-19 00:56:29 EDT

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:1932 https://access.redhat.com/errata/RHSA-2018:1932

Comment 11 errata-xmlrpc 2018-10-30 03:30:29 EDT

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3073 https://access.redhat.com/errata/RHSA-2018:3073

Note You need to log in before you can comment on or make changes to this bug.