1563395 – (CVE-2018-1100) CVE-2018-1100 zsh: buffer overflow in utils.c:checkmailpath() can lead to local arbitrary code execution

Bug 1563395 (CVE-2018-1100) - CVE-2018-1100 zsh: buffer overflow in utils.c:checkmailpath() can lead to local arbitrary code execution

Summary: CVE-2018-1100 zsh: buffer overflow in utils.c:checkmailpath() can lead to loc...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2018-1100
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1563394 (view as bug list)
Depends On:	1563396 1563397 1563402 1563403 1563404
Blocks:	1563387
TreeView+	depends on / blocked

Reported:	2018-04-03 20:27 UTC by Richard Maciel Costa
Modified:	2021-02-17 00:33 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A buffer overflow flaw was found in the zsh shell check path functionality. A local, unprivileged user can create a specially crafted message file, which, if used to set a custom "you have new mail" message, leads to code execution in the context of the user who receives the message. If the user affected is privileged, this leads to privilege escalation.
Clone Of:
Environment:
Last Closed:	2018-09-19 18:32:54 UTC

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2018:1932	0	None	None	None	2018-06-19 04:56:35 UTC
Red Hat Product Errata	RHSA-2018:3073	0	None	None	None	2018-10-30 07:30:35 UTC

Description Richard Maciel Costa 2018-04-03 20:27:51 UTC

zsh through version 5.4.2 is vulnerable to a stack-based buffer overflow in the utils.c:checkmailpath function. A local attacker could exploit this to execute arbitrary code in the context of another user.

Comment 1 Richard Maciel Costa 2018-04-03 20:28:04 UTC

Acknowledgments:

Name: Richard Maciel Costa (Red Hat)

Comment 2 Richard Maciel Costa 2018-04-03 20:28:36 UTC

Created zsh tracking bugs for this issue:

Affects: fedora-all [bug 1563396]

Comment 6 Richard Maciel Costa 2018-04-03 20:58:34 UTC

*** Bug 1563394 has been marked as a duplicate of this bug. ***

Comment 9 Richard Maciel Costa 2018-04-10 18:11:16 UTC

Fixed by upstream patch:
https://sourceforge.net/p/zsh/code/ci/31f72205630687c1cef89347863aab355296a27f/

Comment 10 errata-xmlrpc 2018-06-19 04:56:29 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:1932 https://access.redhat.com/errata/RHSA-2018:1932

Comment 11 errata-xmlrpc 2018-10-30 07:30:29 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3073 https://access.redhat.com/errata/RHSA-2018:3073

Note You need to log in before you can comment on or make changes to this bug.