A flaw was found in zsh prior 5.3.1. There was no check when copying to the internal xbuf2 for a preliminary test. References: https://sourceforge.net/p/zsh/code/ci/c7a9cf465dd620ef48d586026944d9bd7a0d5d6d
The oldest non EOL branch of Fedora, F26, has zsh 5.3.1. However, it does not appear to have this patch, so I believe that zsh 5.3.1 is also vulnerable to this. The current F27 version (5.4.2) does have this code and should not be vulnerable.
(In reply to Laura Pardo from comment #0) > A flaw was found in zsh prior 5.3.1. The commit you refer to landed (192 commits) _after_ the 5.3.1 release.
fixed in zsh-5.3.1-7.fc26
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2018:1932 https://access.redhat.com/errata/RHSA-2018:1932
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:3073 https://access.redhat.com/errata/RHSA-2018:3073