ID CESA-2018:1932 Type centos Reporter CentOS Project Modified 2018-06-21T11:56:17
Description
CentOS Errata and Security Advisory CESA-2018:1932
The zsh shell is a command interpreter usable as an interactive login shell and as a shell script command processor. Zsh resembles the ksh shell (the Korn shell), but includes many enhancements. Zsh supports command-line editing, built-in spelling correction, programmable command completion, shell functions (with autoloading), a history mechanism, and more.
Security Fix(es):
zsh: Stack-based buffer overflow in gen_matches_files() at compctl.c (CVE-2018-1083)
zsh: buffer overflow when scanning very long directory paths for symbolic links (CVE-2014-10072)
zsh: buffer overrun in symlinks (CVE-2017-18206)
zsh: buffer overflow in utils.c:checkmailpath() can lead to local arbitrary code execution (CVE-2018-1100)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
The CVE-2018-1083 and CVE-2018-1100 issues were discovered by Richard Maciel Costa (Red Hat).
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 6.10 Release Notes and Red Hat Enterprise Linux 6.10 Technical Notes linked from the References section.
Merged security bulletin from advisories:
http://lists.centos.org/pipermail/centos-cr-announce/2018-June/005308.html
Affected packages:
zsh
zsh-html
Upstream details at:
{"id": "CESA-2018:1932", "bulletinFamily": "unix", "title": "zsh security update", "description": "**CentOS Errata and Security Advisory** CESA-2018:1932\n\n\nThe zsh shell is a command interpreter usable as an interactive login shell and as a shell script command processor. Zsh resembles the ksh shell (the Korn shell), but includes many enhancements. Zsh supports command-line editing, built-in spelling correction, programmable command completion, shell functions (with autoloading), a history mechanism, and more.\n\nSecurity Fix(es):\n\n* zsh: Stack-based buffer overflow in gen_matches_files() at compctl.c (CVE-2018-1083)\n\n* zsh: buffer overflow when scanning very long directory paths for symbolic links (CVE-2014-10072)\n\n* zsh: buffer overrun in symlinks (CVE-2017-18206)\n\n* zsh: buffer overflow in utils.c:checkmailpath() can lead to local arbitrary code execution (CVE-2018-1100)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nThe CVE-2018-1083 and CVE-2018-1100 issues were discovered by Richard Maciel Costa (Red Hat).\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 6.10 Release Notes and Red Hat Enterprise Linux 6.10 Technical Notes linked from the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-cr-announce/2018-June/005308.html\n\n**Affected packages:**\nzsh\nzsh-html\n\n**Upstream details at:**\n", "published": "2018-06-21T11:56:17", "modified": "2018-06-21T11:56:17", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.centos.org/pipermail/centos-cr-announce/2018-June/005308.html", "reporter": "CentOS Project", "references": ["https://access.redhat.com/errata/RHSA-2018:1932"], "cvelist": ["CVE-2017-18206", "CVE-2018-1083", "CVE-2018-1100", "CVE-2014-10072"], "type": "centos", "lastseen": "2018-06-21T19:14:56", "history": [], "edition": 1, "hashmap": [{"key": "affectedPackage", "hash": "ff0ac4907e04c4f49b4c18174f751382"}, {"key": "bulletinFamily", "hash": "4913a9178621eadcdf191db17915fbcb"}, {"key": "cvelist", "hash": "93d2ed53583b66fd9b608f166adc5f56"}, {"key": "cvss", "hash": "e5d275b3ebd62646b78320753699e02e"}, {"key": "description", "hash": "c251cb77337a180b2c0c5e8364af9ca2"}, {"key": "href", "hash": "d330beda7d535cd91e4dae9b61d2d895"}, {"key": "modified", "hash": "b4b7499eb71f97e99080af3bcfd629c9"}, {"key": "published", "hash": "b4b7499eb71f97e99080af3bcfd629c9"}, {"key": "references", "hash": "72e4dc8584b002852ec2dc4b0b185283"}, {"key": "reporter", "hash": "9855627921475e40e00f92d60af14cb3"}, {"key": "title", "hash": "2f237dd88d4cbb3aa53fdd340c74fc9e"}, {"key": "type", "hash": "cdc872db616ac66adb3166c75e9ad183"}], "hash": "5787aca443c11681888f2b97425e94bcb094ca436e0f33a575e19666c3252bfa", "viewCount": 18, "enchantments": {"score": {"value": 7.5, "vector": "NONE", "modified": "2018-06-21T19:14:56"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-10072", "CVE-2017-18206", "CVE-2018-1100", "CVE-2018-1083"]}, {"type": "nessus", "idList": ["CENTOS_RHSA-2018-1932.NASL", "REDHAT-RHSA-2018-1932.NASL", "SL_20180619_ZSH_ON_SL6_X.NASL", "ORACLELINUX_ELSA-2018-1932.NASL", "ORACLELINUX_ELSA-2018-3073.NASL", "ALA_ALAS-2018-1107.NASL", "REDHAT-RHSA-2018-3073.NASL", "CENTOS_RHSA-2018-3073.NASL", "SL_20181030_ZSH_ON_SL7_X.NASL", "EULEROS_SA-2018-1424.NASL"]}, {"type": "oraclelinux", "idList": ["ELSA-2018-1932", "ELSA-2018-3073"]}, {"type": "redhat", "idList": ["RHSA-2018:1932", "RHSA-2018:3073"]}, {"type": "centos", "idList": ["CESA-2018:3073"]}, {"type": "amazon", "idList": ["ALAS-2018-1107"]}, {"type": "suse", "idList": ["SUSE-SU-2018:1072-1", "OPENSUSE-SU-2018:1893-1", "OPENSUSE-SU-2018:1093-1", "OPENSUSE-SU-2018:2966-1"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310852027", "OPENVAS:1361412562310851737", "OPENVAS:1361412562310891304", "OPENVAS:1361412562310851921", "OPENVAS:1361412562310874417", "OPENVAS:1361412562310843682", "OPENVAS:1361412562310875073", "OPENVAS:1361412562310891335", "OPENVAS:1361412562310843689", "OPENVAS:1361412562310874260"]}, {"type": "gentoo", "idList": ["GLSA-201805-10"]}, {"type": "slackware", "idList": ["SSA-2019-013-01"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1304-1:31925", "DEBIAN:DLA-1335-1:417A2"]}, {"type": "ubuntu", "idList": ["USN-3593-1", "USN-3608-1", "USN-3764-1"]}], "modified": "2018-06-21T19:14:56"}, "vulnersScore": 7.5}, "objectVersion": "1.3", "affectedPackage": [{"OS": "CentOS", "OSVersion": "6", "arch": "i686", "operator": "lt", "packageFilename": "zsh-4.3.11-8.el6.centos.i686.rpm", "packageName": "zsh", "packageVersion": "4.3.11-8.el6.centos"}, {"OS": "CentOS", "OSVersion": "6", "arch": "x86_64", "operator": "lt", "packageFilename": "zsh-4.3.11-8.el6.centos.x86_64.rpm", "packageName": "zsh", "packageVersion": "4.3.11-8.el6.centos"}, {"OS": "CentOS", "OSVersion": "6", "arch": "any", "operator": "lt", "packageFilename": "zsh-4.3.11-8.el6.centos.src.rpm", "packageName": "zsh", "packageVersion": "4.3.11-8.el6.centos"}, {"OS": "CentOS", "OSVersion": "6", "arch": "i686", "operator": "lt", "packageFilename": "zsh-html-4.3.11-8.el6.centos.i686.rpm", "packageName": "zsh-html", "packageVersion": "4.3.11-8.el6.centos"}, {"OS": "CentOS", "OSVersion": "6", "arch": "x86_64", "operator": "lt", "packageFilename": "zsh-html-4.3.11-8.el6.centos.x86_64.rpm", "packageName": "zsh-html", "packageVersion": "4.3.11-8.el6.centos"}]}
{"cve": [{"lastseen": "2018-11-01T11:15:22", "bulletinFamily": "NVD", "description": "In utils.c in zsh before 5.0.6, there is a buffer overflow when scanning very long directory paths for symbolic links.", "modified": "2018-10-31T06:29:00", "published": "2018-02-27T17:29:00", "id": "CVE-2014-10072", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-10072", "title": "CVE-2014-10072", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-11-01T11:17:07", "bulletinFamily": "NVD", "description": "In utils.c in zsh before 5.4, symlink expansion had a buffer overflow.", "modified": "2018-10-31T06:29:11", "published": "2018-02-27T17:29:00", "id": "CVE-2017-18206", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-18206", "title": "CVE-2017-18206", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-04-23T11:27:21", "bulletinFamily": "NVD", "description": "Zsh before version 5.4.2-test-1 is vulnerable to a buffer overflow in the shell autocomplete functionality. A local unprivileged user can create a specially crafted directory path which leads to code execution in the context of the user who tries to use autocomplete to traverse the before mentioned path. If the user affected is privileged, this leads to privilege escalation.", "modified": "2019-04-22T13:48:00", "published": "2018-03-28T09:29:00", "id": "CVE-2018-1083", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1083", "title": "CVE-2018-1083", "type": "cve", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-03-09T11:53:12", "bulletinFamily": "NVD", "description": "zsh through version 5.4.2 is vulnerable to a stack-based buffer overflow in the utils.c:checkmailpath function. A local attacker could exploit this to execute arbitrary code in the context of another user.", "modified": "2019-03-08T10:14:55", "published": "2018-04-11T15:29:01", "id": "CVE-2018-1100", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1100", "title": "CVE-2018-1100", "type": "cve", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "oraclelinux": [{"lastseen": "2018-08-31T01:48:27", "bulletinFamily": "unix", "description": "[4.3.11-8]\n- fix defects detected by Coverity related to CVE-2017-18206 and CVE-2018-1083\n[4.3.11-7]\n- fix stack-based buffer overflow in utils.c:checkmailpath() (CVE-2018-1100)\n- fix stack-based buffer overflow in gen_matches_files() (CVE-2018-1083)\n- fix buffer overrun in xsymlinks (CVE-2017-18206)\n- fix buffer overflow when scanning very long path for symlinks (CVE-2014-10072)\n[4.3.11-6]\n- signal-handling related fixes collected from upstream (#1311166)\n[4.3.11-5]\n- fix malloc() signal leak in lexsave() (#1267903)", "modified": "2018-06-25T00:00:00", "published": "2018-06-25T00:00:00", "id": "ELSA-2018-1932", "href": "http://linux.oracle.com/errata/ELSA-2018-1932.html", "title": "zsh security update", "type": "oraclelinux", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-11-06T06:36:49", "bulletinFamily": "unix", "description": "[5.0.2-31]\n- fix defects detected by Coverity related to CVE-2017-18206 and CVE-2018-1083\n[5.0.2-30]\n- fix stack-based buffer overflow in utils.c:checkmailpath() (CVE-2018-1100)\n- fix stack-based buffer overflow in gen_matches_files() (CVE-2018-1083)\n- fix stack-based buffer overflow in exec.c:hashcmd() (CVE-2018-1071)\n- avoid crash when copying empty hash table (CVE-2018-7549)\n- fix buffer overrun in xsymlinks (CVE-2017-18206)\n- fix NULL dereference in cd (CVE-2017-18205)\n- fix buffer overflow when scanning very long path for symlinks (CVE-2014-10072)\n- fix buffer overflow for very long fds in >& fd syntax (CVE-2014-10071)\n[5.0.2-29]\n- fix crash while inputting long multi-line strings (#1492595)", "modified": "2018-11-05T00:00:00", "published": "2018-11-05T00:00:00", "id": "ELSA-2018-3073", "href": "http://linux.oracle.com/errata/ELSA-2018-3073.html", "title": "zsh security and bug fix update", "type": "oraclelinux", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-02-21T01:40:36", "bulletinFamily": "scanner", "description": "From Red Hat Security Advisory 2018:1932 :\n\nAn update for zsh is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe zsh shell is a command interpreter usable as an interactive login shell and as a shell script command processor. Zsh resembles the ksh shell (the Korn shell), but includes many enhancements. Zsh supports command-line editing, built-in spelling correction, programmable command completion, shell functions (with autoloading), a history mechanism, and more.\n\nSecurity Fix(es) :\n\n* zsh: Stack-based buffer overflow in gen_matches_files() at compctl.c (CVE-2018-1083)\n\n* zsh: buffer overflow when scanning very long directory paths for symbolic links (CVE-2014-10072)\n\n* zsh: buffer overrun in symlinks (CVE-2017-18206)\n\n* zsh: buffer overflow in utils.c:checkmailpath() can lead to local arbitrary code execution (CVE-2018-1100)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nThe CVE-2018-1083 and CVE-2018-1100 issues were discovered by Richard Maciel Costa (Red Hat).\n\nAdditional Changes :\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 6.10 Release Notes and Red Hat Enterprise Linux 6.10 Technical Notes linked from the References section.", "modified": "2018-06-27T00:00:00", "id": "ORACLELINUX_ELSA-2018-1932.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=110707", "published": "2018-06-27T00:00:00", "title": "Oracle Linux 6 : zsh (ELSA-2018-1932)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2018:1932 and \n# Oracle Linux Security Advisory ELSA-2018-1932 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110707);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2018/06/27 11:49:54\");\n\n script_cve_id(\"CVE-2014-10072\", \"CVE-2017-18206\", \"CVE-2018-1083\", \"CVE-2018-1100\");\n script_xref(name:\"RHSA\", value:\"2018:1932\");\n\n script_name(english:\"Oracle Linux 6 : zsh (ELSA-2018-1932)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2018:1932 :\n\nAn update for zsh is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe zsh shell is a command interpreter usable as an interactive login\nshell and as a shell script command processor. Zsh resembles the ksh\nshell (the Korn shell), but includes many enhancements. Zsh supports\ncommand-line editing, built-in spelling correction, programmable\ncommand completion, shell functions (with autoloading), a history\nmechanism, and more.\n\nSecurity Fix(es) :\n\n* zsh: Stack-based buffer overflow in gen_matches_files() at compctl.c\n(CVE-2018-1083)\n\n* zsh: buffer overflow when scanning very long directory paths for\nsymbolic links (CVE-2014-10072)\n\n* zsh: buffer overrun in symlinks (CVE-2017-18206)\n\n* zsh: buffer overflow in utils.c:checkmailpath() can lead to local\narbitrary code execution (CVE-2018-1100)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, and other related information, refer to the CVE page(s)\nlisted in the References section.\n\nThe CVE-2018-1083 and CVE-2018-1100 issues were discovered by Richard\nMaciel Costa (Red Hat).\n\nAdditional Changes :\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 6.10 Release Notes and Red Hat Enterprise Linux 6.10\nTechnical Notes linked from the References section.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2018-June/007812.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected zsh packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:zsh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:zsh-html\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL6\", reference:\"zsh-4.3.11-8.el6\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"zsh-html-4.3.11-8.el6\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"zsh / zsh-html\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:40:48", "bulletinFamily": "scanner", "description": "Security Fix(es) :\n\n - zsh: Stack-based buffer overflow in gen_matches_files() at compctl.c (CVE-2018-1083)\n\n - zsh: buffer overflow when scanning very long directory paths for symbolic links (CVE-2014-10072)\n\n - zsh: buffer overrun in symlinks (CVE-2017-18206)\n\n - zsh: buffer overflow in utils.c:checkmailpath() can lead to local arbitrary code execution (CVE-2018-1100)", "modified": "2018-12-27T00:00:00", "id": "SL_20180619_ZSH_ON_SL6_X.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=110893", "published": "2018-07-03T00:00:00", "title": "Scientific Linux Security Update : zsh on SL6.x i386/x86_64", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110893);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2018/12/27 10:05:37\");\n\n script_cve_id(\"CVE-2014-10072\", \"CVE-2017-18206\", \"CVE-2018-1083\", \"CVE-2018-1100\");\n\n script_name(english:\"Scientific Linux Security Update : zsh on SL6.x i386/x86_64\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security Fix(es) :\n\n - zsh: Stack-based buffer overflow in gen_matches_files()\n at compctl.c (CVE-2018-1083)\n\n - zsh: buffer overflow when scanning very long directory\n paths for symbolic links (CVE-2014-10072)\n\n - zsh: buffer overrun in symlinks (CVE-2017-18206)\n\n - zsh: buffer overflow in utils.c:checkmailpath() can lead\n to local arbitrary code execution (CVE-2018-1100)\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1807&L=scientific-linux-errata&F=&S=&P=714\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?12b369be\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected zsh, zsh-debuginfo and / or zsh-html packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/07/03\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL6\", reference:\"zsh-4.3.11-8.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"zsh-debuginfo-4.3.11-8.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"zsh-html-4.3.11-8.el6\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:40:30", "bulletinFamily": "scanner", "description": "An update for zsh is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe zsh shell is a command interpreter usable as an interactive login shell and as a shell script command processor. Zsh resembles the ksh shell (the Korn shell), but includes many enhancements. Zsh supports command-line editing, built-in spelling correction, programmable command completion, shell functions (with autoloading), a history mechanism, and more.\n\nSecurity Fix(es) :\n\n* zsh: Stack-based buffer overflow in gen_matches_files() at compctl.c (CVE-2018-1083)\n\n* zsh: buffer overflow when scanning very long directory paths for symbolic links (CVE-2014-10072)\n\n* zsh: buffer overrun in symlinks (CVE-2017-18206)\n\n* zsh: buffer overflow in utils.c:checkmailpath() can lead to local arbitrary code execution (CVE-2018-1100)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nThe CVE-2018-1083 and CVE-2018-1100 issues were discovered by Richard Maciel Costa (Red Hat).\n\nAdditional Changes :\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 6.10 Release Notes and Red Hat Enterprise Linux 6.10 Technical Notes linked from the References section.", "modified": "2018-11-10T00:00:00", "id": "REDHAT-RHSA-2018-1932.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=110607", "published": "2018-06-19T00:00:00", "title": "RHEL 6 : zsh (RHSA-2018:1932)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2018:1932. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110607);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2018/11/10 11:49:57\");\n\n script_cve_id(\"CVE-2014-10072\", \"CVE-2017-18206\", \"CVE-2018-1083\", \"CVE-2018-1100\");\n script_xref(name:\"RHSA\", value:\"2018:1932\");\n\n script_name(english:\"RHEL 6 : zsh (RHSA-2018:1932)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for zsh is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe zsh shell is a command interpreter usable as an interactive login\nshell and as a shell script command processor. Zsh resembles the ksh\nshell (the Korn shell), but includes many enhancements. Zsh supports\ncommand-line editing, built-in spelling correction, programmable\ncommand completion, shell functions (with autoloading), a history\nmechanism, and more.\n\nSecurity Fix(es) :\n\n* zsh: Stack-based buffer overflow in gen_matches_files() at compctl.c\n(CVE-2018-1083)\n\n* zsh: buffer overflow when scanning very long directory paths for\nsymbolic links (CVE-2014-10072)\n\n* zsh: buffer overrun in symlinks (CVE-2017-18206)\n\n* zsh: buffer overflow in utils.c:checkmailpath() can lead to local\narbitrary code execution (CVE-2018-1100)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, and other related information, refer to the CVE page(s)\nlisted in the References section.\n\nThe CVE-2018-1083 and CVE-2018-1100 issues were discovered by Richard\nMaciel Costa (Red Hat).\n\nAdditional Changes :\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 6.10 Release Notes and Red Hat Enterprise Linux 6.10\nTechnical Notes linked from the References section.\"\n );\n # https://access.redhat.com/documentation/en-US/red_hat_enterprise_linux/6/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3d2572ef\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2018:1932\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-10072\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-18206\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-1083\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-1100\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected zsh, zsh-debuginfo and / or zsh-html packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:zsh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:zsh-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:zsh-html\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2018:1932\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"zsh-4.3.11-8.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"zsh-4.3.11-8.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"zsh-4.3.11-8.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"zsh-debuginfo-4.3.11-8.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"zsh-debuginfo-4.3.11-8.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"zsh-debuginfo-4.3.11-8.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"zsh-html-4.3.11-8.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"zsh-html-4.3.11-8.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"zsh-html-4.3.11-8.el6\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"zsh / zsh-debuginfo / zsh-html\");\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:40:33", "bulletinFamily": "scanner", "description": "An update for zsh is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe zsh shell is a command interpreter usable as an interactive login shell and as a shell script command processor. Zsh resembles the ksh shell (the Korn shell), but includes many enhancements. Zsh supports command-line editing, built-in spelling correction, programmable command completion, shell functions (with autoloading), a history mechanism, and more.\n\nSecurity Fix(es) :\n\n* zsh: Stack-based buffer overflow in gen_matches_files() at compctl.c (CVE-2018-1083)\n\n* zsh: buffer overflow when scanning very long directory paths for symbolic links (CVE-2014-10072)\n\n* zsh: buffer overrun in symlinks (CVE-2017-18206)\n\n* zsh: buffer overflow in utils.c:checkmailpath() can lead to local arbitrary code execution (CVE-2018-1100)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nThe CVE-2018-1083 and CVE-2018-1100 issues were discovered by Richard Maciel Costa (Red Hat).\n\nAdditional Changes :\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 6.10 Release Notes and Red Hat Enterprise Linux 6.10 Technical Notes linked from the References section.", "modified": "2018-11-10T00:00:00", "id": "CENTOS_RHSA-2018-1932.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=110652", "published": "2018-06-22T00:00:00", "title": "CentOS 6 : zsh (CESA-2018:1932)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2018:1932 and \n# CentOS Errata and Security Advisory 2018:1932 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110652);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2018/11/10 11:49:32\");\n\n script_cve_id(\"CVE-2014-10072\", \"CVE-2017-18206\", \"CVE-2018-1083\", \"CVE-2018-1100\");\n script_xref(name:\"RHSA\", value:\"2018:1932\");\n\n script_name(english:\"CentOS 6 : zsh (CESA-2018:1932)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for zsh is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe zsh shell is a command interpreter usable as an interactive login\nshell and as a shell script command processor. Zsh resembles the ksh\nshell (the Korn shell), but includes many enhancements. Zsh supports\ncommand-line editing, built-in spelling correction, programmable\ncommand completion, shell functions (with autoloading), a history\nmechanism, and more.\n\nSecurity Fix(es) :\n\n* zsh: Stack-based buffer overflow in gen_matches_files() at compctl.c\n(CVE-2018-1083)\n\n* zsh: buffer overflow when scanning very long directory paths for\nsymbolic links (CVE-2014-10072)\n\n* zsh: buffer overrun in symlinks (CVE-2017-18206)\n\n* zsh: buffer overflow in utils.c:checkmailpath() can lead to local\narbitrary code execution (CVE-2018-1100)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, and other related information, refer to the CVE page(s)\nlisted in the References section.\n\nThe CVE-2018-1083 and CVE-2018-1100 issues were discovered by Richard\nMaciel Costa (Red Hat).\n\nAdditional Changes :\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 6.10 Release Notes and Red Hat Enterprise Linux 6.10\nTechnical Notes linked from the References section.\"\n );\n # https://lists.centos.org/pipermail/centos-cr-announce/2018-June/005308.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f2c935a2\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected zsh packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:zsh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:zsh-html\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/CentOS/release\")) audit(AUDIT_OS_NOT, \"CentOS\");\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-6\", reference:\"zsh-4.3.11-8.el6.centos\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"zsh-html-4.3.11-8.el6.centos\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:43:51", "bulletinFamily": "scanner", "description": "From Red Hat Security Advisory 2018:3073 :\n\nAn update for zsh is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe zsh shell is a command interpreter usable as an interactive login shell and as a shell script command processor. Zsh resembles the ksh shell (the Korn shell), but includes many enhancements. Zsh supports command-line editing, built-in spelling correction, programmable command completion, shell functions (with autoloading), a history mechanism, and more.\n\nSecurity Fix(es) :\n\n* zsh: Stack-based buffer overflow in gen_matches_files() at compctl.c (CVE-2018-1083)\n\n* zsh: buffer overflow for very long fds in >& fd syntax (CVE-2014-10071)\n\n* zsh: buffer overflow when scanning very long directory paths for symbolic links (CVE-2014-10072)\n\n* zsh: NULL dereference in cd in sh compatibility mode under given circumstances (CVE-2017-18205)\n\n* zsh: buffer overrun in symlinks (CVE-2017-18206)\n\n* zsh: Stack-based buffer overflow in exec.c:hashcmd() (CVE-2018-1071)\n\n* zsh: buffer overflow in utils.c:checkmailpath() can lead to local arbitrary code execution (CVE-2018-1100)\n\n* zsh: crash on copying empty hash table (CVE-2018-7549)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nThe CVE-2018-1083, CVE-2018-1071, and CVE-2018-1100 issues were discovered by Richard Maciel Costa (Red Hat).\n\nAdditional Changes :\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.", "modified": "2018-11-07T00:00:00", "id": "ORACLELINUX_ELSA-2018-3073.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=118769", "published": "2018-11-07T00:00:00", "title": "Oracle Linux 7 : zsh (ELSA-2018-3073)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2018:3073 and \n# Oracle Linux Security Advisory ELSA-2018-3073 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(118769);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2018/11/07 11:02:18\");\n\n script_cve_id(\"CVE-2014-10071\", \"CVE-2014-10072\", \"CVE-2017-18205\", \"CVE-2017-18206\", \"CVE-2018-1071\", \"CVE-2018-1083\", \"CVE-2018-1100\", \"CVE-2018-7549\");\n script_xref(name:\"RHSA\", value:\"2018:3073\");\n\n script_name(english:\"Oracle Linux 7 : zsh (ELSA-2018-3073)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2018:3073 :\n\nAn update for zsh is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe zsh shell is a command interpreter usable as an interactive login\nshell and as a shell script command processor. Zsh resembles the ksh\nshell (the Korn shell), but includes many enhancements. Zsh supports\ncommand-line editing, built-in spelling correction, programmable\ncommand completion, shell functions (with autoloading), a history\nmechanism, and more.\n\nSecurity Fix(es) :\n\n* zsh: Stack-based buffer overflow in gen_matches_files() at compctl.c\n(CVE-2018-1083)\n\n* zsh: buffer overflow for very long fds in >& fd syntax\n(CVE-2014-10071)\n\n* zsh: buffer overflow when scanning very long directory paths for\nsymbolic links (CVE-2014-10072)\n\n* zsh: NULL dereference in cd in sh compatibility mode under given\ncircumstances (CVE-2017-18205)\n\n* zsh: buffer overrun in symlinks (CVE-2017-18206)\n\n* zsh: Stack-based buffer overflow in exec.c:hashcmd() (CVE-2018-1071)\n\n* zsh: buffer overflow in utils.c:checkmailpath() can lead to local\narbitrary code execution (CVE-2018-1100)\n\n* zsh: crash on copying empty hash table (CVE-2018-7549)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, and other related information, refer to the CVE page(s)\nlisted in the References section.\n\nThe CVE-2018-1083, CVE-2018-1071, and CVE-2018-1100 issues were\ndiscovered by Richard Maciel Costa (Red Hat).\n\nAdditional Changes :\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 7.6 Release Notes linked from the References section.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2018-November/008190.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected zsh packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:zsh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:zsh-html\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/11/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/11/07\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"zsh-5.0.2-31.el7\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"zsh-html-5.0.2-31.el7\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"zsh / zsh-html\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:44:02", "bulletinFamily": "scanner", "description": "An update for zsh is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe zsh shell is a command interpreter usable as an interactive login shell and as a shell script command processor. Zsh resembles the ksh shell (the Korn shell), but includes many enhancements. Zsh supports command-line editing, built-in spelling correction, programmable command completion, shell functions (with autoloading), a history mechanism, and more.\n\nSecurity Fix(es) :\n\n* zsh: Stack-based buffer overflow in gen_matches_files() at compctl.c (CVE-2018-1083)\n\n* zsh: buffer overflow for very long fds in >& fd syntax (CVE-2014-10071)\n\n* zsh: buffer overflow when scanning very long directory paths for symbolic links (CVE-2014-10072)\n\n* zsh: NULL dereference in cd in sh compatibility mode under given circumstances (CVE-2017-18205)\n\n* zsh: buffer overrun in symlinks (CVE-2017-18206)\n\n* zsh: Stack-based buffer overflow in exec.c:hashcmd() (CVE-2018-1071)\n\n* zsh: buffer overflow in utils.c:checkmailpath() can lead to local arbitrary code execution (CVE-2018-1100)\n\n* zsh: crash on copying empty hash table (CVE-2018-7549)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nThe CVE-2018-1083, CVE-2018-1071, and CVE-2018-1100 issues were discovered by Richard Maciel Costa (Red Hat).\n\nAdditional Changes :\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.", "modified": "2018-11-16T00:00:00", "id": "CENTOS_RHSA-2018-3073.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=118989", "published": "2018-11-16T00:00:00", "title": "CentOS 7 : zsh (CESA-2018:3073)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2018:3073 and \n# CentOS Errata and Security Advisory 2018:3073 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(118989);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2018/11/16 15:19:24\");\n\n script_cve_id(\"CVE-2014-10071\", \"CVE-2014-10072\", \"CVE-2017-18205\", \"CVE-2017-18206\", \"CVE-2018-1071\", \"CVE-2018-1083\", \"CVE-2018-1100\", \"CVE-2018-7549\");\n script_xref(name:\"RHSA\", value:\"2018:3073\");\n\n script_name(english:\"CentOS 7 : zsh (CESA-2018:3073)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for zsh is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe zsh shell is a command interpreter usable as an interactive login\nshell and as a shell script command processor. Zsh resembles the ksh\nshell (the Korn shell), but includes many enhancements. Zsh supports\ncommand-line editing, built-in spelling correction, programmable\ncommand completion, shell functions (with autoloading), a history\nmechanism, and more.\n\nSecurity Fix(es) :\n\n* zsh: Stack-based buffer overflow in gen_matches_files() at compctl.c\n(CVE-2018-1083)\n\n* zsh: buffer overflow for very long fds in >& fd syntax\n(CVE-2014-10071)\n\n* zsh: buffer overflow when scanning very long directory paths for\nsymbolic links (CVE-2014-10072)\n\n* zsh: NULL dereference in cd in sh compatibility mode under given\ncircumstances (CVE-2017-18205)\n\n* zsh: buffer overrun in symlinks (CVE-2017-18206)\n\n* zsh: Stack-based buffer overflow in exec.c:hashcmd() (CVE-2018-1071)\n\n* zsh: buffer overflow in utils.c:checkmailpath() can lead to local\narbitrary code execution (CVE-2018-1100)\n\n* zsh: crash on copying empty hash table (CVE-2018-7549)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, and other related information, refer to the CVE page(s)\nlisted in the References section.\n\nThe CVE-2018-1083, CVE-2018-1071, and CVE-2018-1100 issues were\ndiscovered by Richard Maciel Costa (Red Hat).\n\nAdditional Changes :\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 7.6 Release Notes linked from the References section.\"\n );\n # https://lists.centos.org/pipermail/centos-cr-announce/2018-November/005742.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d16546c9\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected zsh packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:zsh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:zsh-html\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/11/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/11/16\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/CentOS/release\")) audit(AUDIT_OS_NOT, \"CentOS\");\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"zsh-5.0.2-31.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"zsh-html-5.0.2-31.el7\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:43:39", "bulletinFamily": "scanner", "description": "An update for zsh is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe zsh shell is a command interpreter usable as an interactive login shell and as a shell script command processor. Zsh resembles the ksh shell (the Korn shell), but includes many enhancements. Zsh supports command-line editing, built-in spelling correction, programmable command completion, shell functions (with autoloading), a history mechanism, and more.\n\nSecurity Fix(es) :\n\n* zsh: Stack-based buffer overflow in gen_matches_files() at compctl.c (CVE-2018-1083)\n\n* zsh: buffer overflow for very long fds in >& fd syntax (CVE-2014-10071)\n\n* zsh: buffer overflow when scanning very long directory paths for symbolic links (CVE-2014-10072)\n\n* zsh: NULL dereference in cd in sh compatibility mode under given circumstances (CVE-2017-18205)\n\n* zsh: buffer overrun in symlinks (CVE-2017-18206)\n\n* zsh: Stack-based buffer overflow in exec.c:hashcmd() (CVE-2018-1071)\n\n* zsh: buffer overflow in utils.c:checkmailpath() can lead to local arbitrary code execution (CVE-2018-1100)\n\n* zsh: crash on copying empty hash table (CVE-2018-7549)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nThe CVE-2018-1083, CVE-2018-1071, and CVE-2018-1100 issues were discovered by Richard Maciel Costa (Red Hat).\n\nAdditional Changes :\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.", "modified": "2018-11-10T00:00:00", "id": "REDHAT-RHSA-2018-3073.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=118524", "published": "2018-10-31T00:00:00", "title": "RHEL 7 : zsh (RHSA-2018:3073)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2018:3073. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(118524);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2018/11/10 11:49:58\");\n\n script_cve_id(\"CVE-2014-10071\", \"CVE-2014-10072\", \"CVE-2017-18205\", \"CVE-2017-18206\", \"CVE-2018-1071\", \"CVE-2018-1083\", \"CVE-2018-1100\", \"CVE-2018-7549\");\n script_xref(name:\"RHSA\", value:\"2018:3073\");\n\n script_name(english:\"RHEL 7 : zsh (RHSA-2018:3073)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for zsh is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe zsh shell is a command interpreter usable as an interactive login\nshell and as a shell script command processor. Zsh resembles the ksh\nshell (the Korn shell), but includes many enhancements. Zsh supports\ncommand-line editing, built-in spelling correction, programmable\ncommand completion, shell functions (with autoloading), a history\nmechanism, and more.\n\nSecurity Fix(es) :\n\n* zsh: Stack-based buffer overflow in gen_matches_files() at compctl.c\n(CVE-2018-1083)\n\n* zsh: buffer overflow for very long fds in >& fd syntax\n(CVE-2014-10071)\n\n* zsh: buffer overflow when scanning very long directory paths for\nsymbolic links (CVE-2014-10072)\n\n* zsh: NULL dereference in cd in sh compatibility mode under given\ncircumstances (CVE-2017-18205)\n\n* zsh: buffer overrun in symlinks (CVE-2017-18206)\n\n* zsh: Stack-based buffer overflow in exec.c:hashcmd() (CVE-2018-1071)\n\n* zsh: buffer overflow in utils.c:checkmailpath() can lead to local\narbitrary code execution (CVE-2018-1100)\n\n* zsh: crash on copying empty hash table (CVE-2018-7549)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, and other related information, refer to the CVE page(s)\nlisted in the References section.\n\nThe CVE-2018-1083, CVE-2018-1071, and CVE-2018-1100 issues were\ndiscovered by Richard Maciel Costa (Red Hat).\n\nAdditional Changes :\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 7.6 Release Notes linked from the References section.\"\n );\n # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3395ff0b\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2018:3073\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-10071\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-10072\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-18205\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-18206\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-1071\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-1083\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-1100\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-7549\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected zsh, zsh-debuginfo and / or zsh-html packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:zsh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:zsh-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:zsh-html\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/31\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2018:3073\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"zsh-5.0.2-31.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"zsh-5.0.2-31.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"zsh-debuginfo-5.0.2-31.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"zsh-debuginfo-5.0.2-31.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"zsh-html-5.0.2-31.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"zsh-html-5.0.2-31.el7\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"zsh / zsh-debuginfo / zsh-html\");\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:44:15", "bulletinFamily": "scanner", "description": "Security Fix(es) :\n\n - zsh: Stack-based buffer overflow in gen_matches_files() at compctl.c (CVE-2018-1083)\n\n - zsh: buffer overflow for very long fds in >& fd syntax (CVE-2014-10071)\n\n - zsh: buffer overflow when scanning very long directory paths for symbolic links (CVE-2014-10072)\n\n - zsh: NULL dereference in cd in sh compatibility mode under given circumstances (CVE-2017-18205)\n\n - zsh: buffer overrun in symlinks (CVE-2017-18206)\n\n - zsh: Stack-based buffer overflow in exec.c:hashcmd() (CVE-2018-1071)\n\n - zsh: buffer overflow in utils.c:checkmailpath() can lead to local arbitrary code execution (CVE-2018-1100)\n\n - zsh: crash on copying empty hash table (CVE-2018-7549)", "modified": "2018-12-27T00:00:00", "id": "SL_20181030_ZSH_ON_SL7_X.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=119204", "published": "2018-11-27T00:00:00", "title": "Scientific Linux Security Update : zsh on SL7.x x86_64", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(119204);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2018/12/27 10:05:37\");\n\n script_cve_id(\"CVE-2014-10071\", \"CVE-2014-10072\", \"CVE-2017-18205\", \"CVE-2017-18206\", \"CVE-2018-1071\", \"CVE-2018-1083\", \"CVE-2018-1100\", \"CVE-2018-7549\");\n\n script_name(english:\"Scientific Linux Security Update : zsh on SL7.x x86_64\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security Fix(es) :\n\n - zsh: Stack-based buffer overflow in gen_matches_files()\n at compctl.c (CVE-2018-1083)\n\n - zsh: buffer overflow for very long fds in >& fd\n syntax (CVE-2014-10071)\n\n - zsh: buffer overflow when scanning very long directory\n paths for symbolic links (CVE-2014-10072)\n\n - zsh: NULL dereference in cd in sh compatibility mode\n under given circumstances (CVE-2017-18205)\n\n - zsh: buffer overrun in symlinks (CVE-2017-18206)\n\n - zsh: Stack-based buffer overflow in exec.c:hashcmd()\n (CVE-2018-1071)\n\n - zsh: buffer overflow in utils.c:checkmailpath() can lead\n to local arbitrary code execution (CVE-2018-1100)\n\n - zsh: crash on copying empty hash table (CVE-2018-7549)\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1811&L=scientific-linux-errata&F=&S=&P=7726\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a531a134\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected zsh, zsh-debuginfo and / or zsh-html packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/11/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"zsh-5.0.2-31.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"zsh-debuginfo-5.0.2-31.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"zsh-html-5.0.2-31.el7\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:44:23", "bulletinFamily": "scanner", "description": "A buffer overflow flaw was found in the zsh shell symbolic link resolver. A local, unprivileged user can create a specially crafted directory path which leads to a buffer overflow in the context of the user trying to do a symbolic link resolution in the aforementioned path. If the user affected is privileged, this leads to privilege escalation.(CVE-2017-18206)\n\nA buffer overflow flaw was found in the zsh shell auto-complete functionality. A local, unprivileged user can create a specially crafted directory path which leads to code execution in the context of the user who tries to use auto-complete to traverse the before mentioned path. If the user affected is privileged, this leads to privilege escalation.(CVE-2018-1083)\n\nA NULL pointer dereference flaw was found in the code responsible for saving hashtables of the zsh package. An attacker could use this flaw to cause a denial of service by crashing the user shell.(CVE-2018-7549)\n\nA NULL pointer dereference flaw was found in the code responsible for the cd builtin command of the zsh package. An attacker could use this flaw to cause a denial of service by crashing the user shell.(CVE-2017-18205)\n\nA buffer overflow flaw was found in the zsh shell symbolic link resolver. A local, unprivileged user can create a specially crafted directory path which leads to a buffer overflow in the context of the user trying to do symbolic link resolution in the aforementioned path.\nAn attacker could exploit this vulnerability to cause a denial of service condition on the target.(CVE-2014-10072)\n\nA buffer overflow flaw was found in the zsh shell check path functionality. A local, unprivileged user can create a specially crafted message file, which, if used to set a custom 'you have new mail' message, leads to code execution in the context of the user who receives the message. If the user affected is privileged, this leads to privilege escalation.(CVE-2018-1100)\n\nzsh through version 5.4.2 is vulnerable to a stack-based buffer overflow in the exec.c:hashcmd() function. A local attacker could exploit this to cause a denial of service.(CVE-2018-1071)\n\nA buffer overflow flaw was found in the zsh shell file descriptor redirection functionality. An attacker could use this flaw to cause a denial of service by crashing the user shell.(CVE-2014-10071)", "modified": "2018-12-07T00:00:00", "id": "ALA_ALAS-2018-1107.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=119466", "published": "2018-12-07T00:00:00", "title": "Amazon Linux AMI : zsh (ALAS-2018-1107)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2018-1107.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(119466);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2018/12/07 9:46:52\");\n\n script_cve_id(\"CVE-2014-10071\", \"CVE-2014-10072\", \"CVE-2017-18205\", \"CVE-2017-18206\", \"CVE-2018-1071\", \"CVE-2018-1083\", \"CVE-2018-1100\", \"CVE-2018-7549\");\n script_xref(name:\"ALAS\", value:\"2018-1107\");\n\n script_name(english:\"Amazon Linux AMI : zsh (ALAS-2018-1107)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A buffer overflow flaw was found in the zsh shell symbolic link\nresolver. A local, unprivileged user can create a specially crafted\ndirectory path which leads to a buffer overflow in the context of the\nuser trying to do a symbolic link resolution in the aforementioned\npath. If the user affected is privileged, this leads to privilege\nescalation.(CVE-2017-18206)\n\nA buffer overflow flaw was found in the zsh shell auto-complete\nfunctionality. A local, unprivileged user can create a specially\ncrafted directory path which leads to code execution in the context of\nthe user who tries to use auto-complete to traverse the before\nmentioned path. If the user affected is privileged, this leads to\nprivilege escalation.(CVE-2018-1083)\n\nA NULL pointer dereference flaw was found in the code responsible for\nsaving hashtables of the zsh package. An attacker could use this flaw\nto cause a denial of service by crashing the user\nshell.(CVE-2018-7549)\n\nA NULL pointer dereference flaw was found in the code responsible for\nthe cd builtin command of the zsh package. An attacker could use this\nflaw to cause a denial of service by crashing the user\nshell.(CVE-2017-18205)\n\nA buffer overflow flaw was found in the zsh shell symbolic link\nresolver. A local, unprivileged user can create a specially crafted\ndirectory path which leads to a buffer overflow in the context of the\nuser trying to do symbolic link resolution in the aforementioned path.\nAn attacker could exploit this vulnerability to cause a denial of\nservice condition on the target.(CVE-2014-10072)\n\nA buffer overflow flaw was found in the zsh shell check path\nfunctionality. A local, unprivileged user can create a specially\ncrafted message file, which, if used to set a custom 'you have new\nmail' message, leads to code execution in the context of the user who\nreceives the message. If the user affected is privileged, this leads\nto privilege escalation.(CVE-2018-1100)\n\nzsh through version 5.4.2 is vulnerable to a stack-based buffer\noverflow in the exec.c:hashcmd() function. A local attacker could\nexploit this to cause a denial of service.(CVE-2018-1071)\n\nA buffer overflow flaw was found in the zsh shell file descriptor\nredirection functionality. An attacker could use this flaw to cause a\ndenial of service by crashing the user shell.(CVE-2014-10071)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2018-1107.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update zsh' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:zsh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:zsh-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:zsh-html\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/12/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/12/07\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"zsh-5.0.2-31.17.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"zsh-debuginfo-5.0.2-31.17.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"zsh-html-5.0.2-31.17.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"zsh / zsh-debuginfo / zsh-html\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:44:50", "bulletinFamily": "scanner", "description": "According to the versions of the zsh package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - zsh: buffer overflow when scanning very long directory paths for symbolic links (CVE-2014-10072)\n\n - zsh: Stack-based buffer overflow in exec.c:hashcmd() (CVE-2018-1071)\n\n - zsh: buffer overflow in utils.c:checkmailpath() can lead to local arbitrary code execution (CVE-2018-1100)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-12-28T00:00:00", "id": "EULEROS_SA-2018-1424.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=119913", "published": "2018-12-28T00:00:00", "title": "EulerOS 2.0 SP2 : zsh (EulerOS-SA-2018-1424)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(119913);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2018/12/28 10:10:33\");\n\n script_cve_id(\n \"CVE-2014-10072\",\n \"CVE-2018-1071\",\n \"CVE-2018-1100\"\n );\n\n script_name(english:\"EulerOS 2.0 SP2 : zsh (EulerOS-SA-2018-1424)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the zsh package installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerabilities :\n\n - zsh: buffer overflow when scanning very long directory\n paths for symbolic links (CVE-2014-10072)\n\n - zsh: Stack-based buffer overflow in exec.c:hashcmd()\n (CVE-2018-1071)\n\n - zsh: buffer overflow in utils.c:checkmailpath() can\n lead to local arbitrary code execution (CVE-2018-1100)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huawei.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1424\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?46630d9a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected zsh packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/12/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:zsh\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/12/28\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(2)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\n\nflag = 0;\n\npkgs = [\"zsh-5.0.2-31.h1\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"2\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"zsh\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "redhat": [{"lastseen": "2018-12-11T21:41:46", "bulletinFamily": "unix", "description": "The zsh shell is a command interpreter usable as an interactive login shell and as a shell script command processor. Zsh resembles the ksh shell (the Korn shell), but includes many enhancements. Zsh supports command-line editing, built-in spelling correction, programmable command completion, shell functions (with autoloading), a history mechanism, and more.\n\nSecurity Fix(es):\n\n* zsh: Stack-based buffer overflow in gen_matches_files() at compctl.c (CVE-2018-1083)\n\n* zsh: buffer overflow when scanning very long directory paths for symbolic links (CVE-2014-10072)\n\n* zsh: buffer overrun in symlinks (CVE-2017-18206)\n\n* zsh: buffer overflow in utils.c:checkmailpath() can lead to local arbitrary code execution (CVE-2018-1100)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nThe CVE-2018-1083 and CVE-2018-1100 issues were discovered by Richard Maciel Costa (Red Hat).\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 6.10 Release Notes and Red Hat Enterprise Linux 6.10 Technical Notes linked from the References section.", "modified": "2018-06-19T08:01:12", "published": "2018-06-19T06:12:48", "id": "RHSA-2018:1932", "href": "https://access.redhat.com/errata/RHSA-2018:1932", "type": "redhat", "title": "(RHSA-2018:1932) Moderate: zsh security update", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-12-11T21:41:05", "bulletinFamily": "unix", "description": "The zsh shell is a command interpreter usable as an interactive login shell and as a shell script command processor. Zsh resembles the ksh shell (the Korn shell), but includes many enhancements. Zsh supports command-line editing, built-in spelling correction, programmable command completion, shell functions (with autoloading), a history mechanism, and more.\n\nSecurity Fix(es):\n\n* zsh: Stack-based buffer overflow in gen_matches_files() at compctl.c (CVE-2018-1083)\n\n* zsh: buffer overflow for very long fds in >& fd syntax (CVE-2014-10071)\n\n* zsh: buffer overflow when scanning very long directory paths for symbolic links (CVE-2014-10072)\n\n* zsh: NULL dereference in cd in sh compatibility mode under given circumstances (CVE-2017-18205)\n\n* zsh: buffer overrun in symlinks (CVE-2017-18206)\n\n* zsh: Stack-based buffer overflow in exec.c:hashcmd() (CVE-2018-1071)\n\n* zsh: buffer overflow in utils.c:checkmailpath() can lead to local arbitrary code execution (CVE-2018-1100)\n\n* zsh: crash on copying empty hash table (CVE-2018-7549)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nThe CVE-2018-1083, CVE-2018-1071, and CVE-2018-1100 issues were discovered by Richard Maciel Costa (Red Hat).\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.", "modified": "2018-10-30T09:21:35", "published": "2018-10-30T08:16:11", "id": "RHSA-2018:3073", "href": "https://access.redhat.com/errata/RHSA-2018:3073", "type": "redhat", "title": "(RHSA-2018:3073) Moderate: zsh security and bug fix update", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "amazon": [{"lastseen": "2018-12-07T05:28:39", "bulletinFamily": "unix", "description": "**Issue Overview:**\n\nA buffer overflow flaw was found in the zsh shell symbolic link resolver. A local, unprivileged user can create a specially crafted directory path which leads to a buffer overflow in the context of the user trying to do a symbolic link resolution in the aforementioned path. If the user affected is privileged, this leads to privilege escalation.([CVE-2017-18206 __](<https://access.redhat.com/security/cve/CVE-2017-18206>))\n\nA buffer overflow flaw was found in the zsh shell auto-complete functionality. A local, unprivileged user can create a specially crafted directory path which leads to code execution in the context of the user who tries to use auto-complete to traverse the before mentioned path. If the user affected is privileged, this leads to privilege escalation.([CVE-2018-1083 __](<https://access.redhat.com/security/cve/CVE-2018-1083>))\n\nA NULL pointer dereference flaw was found in the code responsible for saving hashtables of the zsh package. An attacker could use this flaw to cause a denial of service by crashing the user shell.([CVE-2018-7549 __](<https://access.redhat.com/security/cve/CVE-2018-7549>))\n\nA NULL pointer dereference flaw was found in the code responsible for the cd builtin command of the zsh package. An attacker could use this flaw to cause a denial of service by crashing the user shell.([CVE-2017-18205 __](<https://access.redhat.com/security/cve/CVE-2017-18205>))\n\nA buffer overflow flaw was found in the zsh shell symbolic link resolver. A local, unprivileged user can create a specially crafted directory path which leads to a buffer overflow in the context of the user trying to do symbolic link resolution in the aforementioned path. An attacker could exploit this vulnerability to cause a denial of service condition on the target.([CVE-2014-10072 __](<https://access.redhat.com/security/cve/CVE-2014-10072>))\n\nA buffer overflow flaw was found in the zsh shell check path functionality. A local, unprivileged user can create a specially crafted message file, which, if used to set a custom \"you have new mail\" message, leads to code execution in the context of the user who receives the message. If the user affected is privileged, this leads to privilege escalation.([CVE-2018-1100 __](<https://access.redhat.com/security/cve/CVE-2018-1100>))\n\nzsh through version 5.4.2 is vulnerable to a stack-based buffer overflow in the exec.c:hashcmd() function. A local attacker could exploit this to cause a denial of service.([CVE-2018-1071 __](<https://access.redhat.com/security/cve/CVE-2018-1071>))\n\nA buffer overflow flaw was found in the zsh shell file descriptor redirection functionality. An attacker could use this flaw to cause a denial of service by crashing the user shell.([CVE-2014-10071 __](<https://access.redhat.com/security/cve/CVE-2014-10071>))\n\n \n**Affected Packages:** \n\n\nzsh\n\n \n**Issue Correction:** \nRun _yum update zsh_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n zsh-5.0.2-31.17.amzn1.i686 \n zsh-html-5.0.2-31.17.amzn1.i686 \n zsh-debuginfo-5.0.2-31.17.amzn1.i686 \n \n src: \n zsh-5.0.2-31.17.amzn1.src \n \n x86_64: \n zsh-5.0.2-31.17.amzn1.x86_64 \n zsh-debuginfo-5.0.2-31.17.amzn1.x86_64 \n zsh-html-5.0.2-31.17.amzn1.x86_64 \n \n \n", "modified": "2018-12-07T00:44:00", "published": "2018-12-07T00:44:00", "id": "ALAS-2018-1107", "href": "https://alas.aws.amazon.com/ALAS-2018-1107.html", "title": "Medium: zsh", "type": "amazon", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "centos": [{"lastseen": "2019-04-03T05:18:39", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2018:3073\n\n\nThe zsh shell is a command interpreter usable as an interactive login shell and as a shell script command processor. Zsh resembles the ksh shell (the Korn shell), but includes many enhancements. Zsh supports command-line editing, built-in spelling correction, programmable command completion, shell functions (with autoloading), a history mechanism, and more.\n\nSecurity Fix(es):\n\n* zsh: Stack-based buffer overflow in gen_matches_files() at compctl.c (CVE-2018-1083)\n\n* zsh: buffer overflow for very long fds in >& fd syntax (CVE-2014-10071)\n\n* zsh: buffer overflow when scanning very long directory paths for symbolic links (CVE-2014-10072)\n\n* zsh: NULL dereference in cd in sh compatibility mode under given circumstances (CVE-2017-18205)\n\n* zsh: buffer overrun in symlinks (CVE-2017-18206)\n\n* zsh: Stack-based buffer overflow in exec.c:hashcmd() (CVE-2018-1071)\n\n* zsh: buffer overflow in utils.c:checkmailpath() can lead to local arbitrary code execution (CVE-2018-1100)\n\n* zsh: crash on copying empty hash table (CVE-2018-7549)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nThe CVE-2018-1083, CVE-2018-1071, and CVE-2018-1100 issues were discovered by Richard Maciel Costa (Red Hat).\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-cr-announce/2018-November/005742.html\n\n**Affected packages:**\nzsh\nzsh-html\n\n**Upstream details at:**\n", "modified": "2018-11-15T18:54:22", "published": "2018-11-15T18:54:22", "id": "CESA-2018:3073", "href": "http://lists.centos.org/pipermail/centos-cr-announce/2018-November/005742.html", "title": "zsh security update", "type": "centos", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "debian": [{"lastseen": "2018-10-18T13:49:48", "bulletinFamily": "unix", "description": "Package : zsh\nVersion : 4.3.17-1+deb7u1\nCVE IDs : CVE-2014-10070 CVE-2014-10071 CVE-2014-10072\n CVE-2016-10714 CVE-2017-18206\n\nIt was discovered that there were multiple vulnerabilities in the\n"zsh" shell:\n\n * CVE-2014-10070: Fix a privilege-elevation issue if the\n environment has not been properly sanitized.\n\n * CVE-2014-10071: Prevent a buffer overflow for very long file\n * descriptors in the ">& fd" syntax.\n\n * CVE-2014-10072: Correct a buffer overflow when scanning very long\n directory paths for symbolic links.\n\n * CVE-2016-10714: Fix an off-by-one error that was resulting in\n undersized buffers that were intended to support PATH_MAX.\n\n * CVE-2017-18206: Fix a buffer overflow in symlink expansion.\n\n\nFor Debian 7 "Wheezy", this issue has been fixed in zsh version\n4.3.17-1+deb7u1.\n\nWe recommend that you upgrade your zsh packages.\n\n\nRegards,\n\n- -- \n ,''`.\n : :' : Chris Lamb\n `. `'` lamby@debian.org / chris-lamb.co.uk\n `-\n\n", "modified": "2018-03-09T17:01:59", "published": "2018-03-09T17:01:59", "id": "DEBIAN:DLA-1304-1:31925", "href": "https://lists.debian.org/debian-lts-announce/2018/debian-lts-announce-201803/msg00007.html", "title": "[SECURITY] [DLA 1304-1] zsh security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-10-18T13:50:22", "bulletinFamily": "unix", "description": "Package : zsh\nVersion : 4.3.17-1+deb7u2\nCVE ID : CVE-2018-1071 CVE-2018-1083\nDebian Bug : 894044 894043\n\nTwo security vulnerabilities were discovered in the Z shell.\n\nCVE-2018-1071\n Stack-based buffer overflow in the exec.c:hashcmd() function.\n A local attacker could exploit this to cause a denial of service.\n\nCVE-2018-1083\n Buffer overflow in the shell autocomplete functionality. A local\n unprivileged user can create a specially crafted directory path which\n leads to code execution in the context of the user who tries to use\n autocomplete to traverse the before mentioned path. If the user\n affected is privileged, this leads to privilege escalation.\n\nFor Debian 7 "Wheezy", these problems have been fixed in version\n4.3.17-1+deb7u2.\n\nWe recommend that you upgrade your zsh packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "modified": "2018-03-31T22:19:41", "published": "2018-03-31T22:19:41", "id": "DEBIAN:DLA-1335-1:417A2", "href": "https://lists.debian.org/debian-lts-announce/2018/debian-lts-announce-201803/msg00038.html", "title": "[SECURITY] [DLA 1335-1] zsh security update", "type": "debian", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2019-03-19T12:27:52", "bulletinFamily": "scanner", "description": "It was discovered that there were multiple vulnerabilities in the\n", "modified": "2019-03-18T00:00:00", "published": "2018-03-27T00:00:00", "id": "OPENVAS:1361412562310891304", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891304", "title": "Debian LTS Advisory ([SECURITY] [DLA 1304-1] zsh security update)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: deb_dla_1304.nasl 14281 2019-03-18 14:53:48Z cfischer $\n#\n# Auto-generated from advisory DLA 1304-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891304\");\n script_version(\"$Revision: 14281 $\");\n script_cve_id(\"CVE-2014-10070\", \"CVE-2014-10071\", \"CVE-2014-10072\", \"CVE-2016-10714\", \"CVE-2017-18206\");\n script_name(\"Debian LTS Advisory ([SECURITY] [DLA 1304-1] zsh security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:53:48 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-03-27 00:00:00 +0200 (Tue, 27 Mar 2018)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2018/03/msg00007.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n script_tag(name:\"affected\", value:\"zsh on Debian Linux\");\n script_tag(name:\"solution\", value:\"For Debian 7 'Wheezy', this issue has been fixed in zsh version\n4.3.17-1+deb7u1.\n\nWe recommend that you upgrade your zsh packages.\");\n script_tag(name:\"summary\", value:\"It was discovered that there were multiple vulnerabilities in the\n'zsh' shell:\n\n * CVE-2014-10070: Fix a privilege-elevation issue if the\nenvironment has not been properly sanitized.\n\n * CVE-2014-10071: Prevent a buffer overflow for very long file\n\n * descriptors in the '>& fd' syntax.\n\n * CVE-2014-10072: Correct a buffer overflow when scanning very long\ndirectory paths for symbolic links.\n\n * CVE-2016-10714: Fix an off-by-one error that was resulting in\nundersized buffers that were intended to support PATH_MAX.\n\n * CVE-2017-18206: Fix a buffer overflow in symlink expansion.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"zsh\", ver:\"4.3.17-1+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"zsh-dbg\", ver:\"4.3.17-1+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"zsh-dev\", ver:\"4.3.17-1+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"zsh-doc\", ver:\"4.3.17-1+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"zsh-static\", ver:\"4.3.17-1+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-11-23T15:03:36", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2018-04-27T00:00:00", "id": "OPENVAS:1361412562310851737", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851737", "title": "SuSE Update for zsh openSUSE-SU-2018:1093-1 (zsh)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_suse_2018_1093_1.nasl 12497 2018-11-23 08:28:21Z cfischer $\n#\n# SuSE Update for zsh openSUSE-SU-2018:1093-1 (zsh)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851737\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-04-27 05:24:59 +0200 (Fri, 27 Apr 2018)\");\n script_cve_id(\"CVE-2014-10070\", \"CVE-2014-10071\", \"CVE-2014-10072\", \"CVE-2016-10714\",\n \"CVE-2017-18205\", \"CVE-2017-18206\", \"CVE-2018-1071\", \"CVE-2018-1083\",\n \"CVE-2018-7549\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"SuSE Update for zsh openSUSE-SU-2018:1093-1 (zsh)\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'zsh'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"This update for zsh fixes the following issues:\n\n - CVE-2014-10070: environment variable injection could lead to local\n privilege escalation (bnc#1082885)\n\n - CVE-2014-10071: buffer overflow in exec.c could lead to denial of\n service. (bnc#1082977)\n\n - CVE-2014-10072: buffer overflow In utils.c when scanning very long\n directory paths for symbolic links. (bnc#1082975)\n\n - CVE-2016-10714: In zsh before 5.3, an off-by-one error resulted in\n undersized buffers that were intended to support PATH_MAX characters.\n (bnc#1083250)\n\n - CVE-2017-18205: In builtin.c when sh compatibility mode is used, a NULL\n pointer dereference could lead to denial of service (bnc#1082998)\n\n - CVE-2018-1071: exec.c:hashcmd() function vulnerability could lead to\n denial of service. (bnc#1084656)\n\n - CVE-2018-1083: Autocomplete vulnerability could lead to privilege\n escalation. (bnc#1087026)\n\n - CVE-2018-7549: In params.c in zsh through 5.4.2, there is a crash during\n a copy of an empty hash table, as demonstrated by typeset -p.\n (bnc#1082991)\n\n - CVE-2017-18206: buffer overrun in xsymlinks could lead to denial of\n service (bnc#1083002)\n\n - Autocomplete and REPORTTIME broken (bsc#896914)\n\n This update was imported from the SUSE:SLE-12:Update update project.\n\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 42.3:\n\n zypper in -t patch openSUSE-2018-399=1\");\n script_tag(name:\"affected\", value:\"zsh on openSUSE Leap 42.3\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2018:1093_1\");\n script_xref(name:\"URL\", value:\"http://lists.opensuse.org/opensuse-security-announce/2018-04/msg00073.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.3\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\nres = \"\";\n\nif(release == \"openSUSELeap42.3\")\n{\n\n if ((res = isrpmvuln(pkg:\"zsh\", rpm:\"zsh~5.0.5~9.3.1\", rls:\"openSUSELeap42.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"zsh-debuginfo\", rpm:\"zsh-debuginfo~5.0.5~9.3.1\", rls:\"openSUSELeap42.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"zsh-debugsource\", rpm:\"zsh-debugsource~5.0.5~9.3.1\", rls:\"openSUSELeap42.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"zsh-htmldoc\", rpm:\"zsh-htmldoc~5.0.5~9.3.1\", rls:\"openSUSELeap42.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-11-23T15:03:32", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310852027", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310852027", "title": "SuSE Update for zsh openSUSE-SU-2018:1893-1 (zsh)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_suse_2018_1893_1.nasl 12497 2018-11-23 08:28:21Z cfischer $\n#\n# SuSE Update for zsh openSUSE-SU-2018:1893-1 (zsh)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.852027\");\n script_version(\"$Revision: 12497 $\");\n script_cve_id(\"CVE-2018-1071\", \"CVE-2018-1083\", \"CVE-2018-1100\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-10-26 06:35:28 +0200 (Fri, 26 Oct 2018)\");\n script_name(\"SuSE Update for zsh openSUSE-SU-2018:1893-1 (zsh)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap15\\.0\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2018:1893_1\");\n script_xref(name:\"URL\", value:\"http://lists.opensuse.org/opensuse-security-announce/2018-07/msg00000.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'zsh'\n package(s) announced via the openSUSE-SU-2018:1893_1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for zsh to version 5.5 fixes the following issues:\n\n Security issues fixed:\n\n - CVE-2018-1100: Fixes a buffer overflow in utils.c:checkmailpath() that\n can lead to local arbitrary code execution (bsc#1089030)\n\n - CVE-2018-1071: Fixed a stack-based buffer overflow in exec.c:hashcmd()\n (bsc#1084656)\n\n - CVE-2018-1083: Fixed a stack-based buffer overflow in\n gen_matches_files() at compctl.c (bsc#1087026)\n\n Non-security issues fixed:\n\n - The effect of the NO_INTERACTIVE_COMMENTS option extends into $(...) and\n `...` command substitutions when used on the command line.\n\n - The 'exec' and 'command' precommand modifiers, and options to them, are\n now parsed after parameter expansion.\n\n - Functions executed by ZLE widgets no longer have their standard input\n closed, but redirected from /dev/null instead.\n\n - There is an option WARN_NESTED_VAR, a companion to the existing\n WARN_CREATE_GLOBAL that causes a warning if a function updates a\n variable from an enclosing scope without using typeset -g.\n\n - zmodload now has an option -s to be silent on a failure to find a module\n but still print other errors.\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.0:\n\n zypper in -t patch openSUSE-2018-699=1\");\n\n script_tag(name:\"affected\", value:\"zsh on openSUSE Leap 15.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"openSUSELeap15.0\")\n{\n\n if ((res = isrpmvuln(pkg:\"zsh\", rpm:\"zsh~5.5~lp150.2.3.1\", rls:\"openSUSELeap15.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"zsh-debuginfo\", rpm:\"zsh-debuginfo~5.5~lp150.2.3.1\", rls:\"openSUSELeap15.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"zsh-debugsource\", rpm:\"zsh-debugsource~5.5~lp150.2.3.1\", rls:\"openSUSELeap15.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"zsh-htmldoc\", rpm:\"zsh-htmldoc~5.5~lp150.2.3.1\", rls:\"openSUSELeap15.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-03-18T14:23:18", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-05-06T00:00:00", "id": "OPENVAS:1361412562310874417", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874417", "title": "Fedora Update for zsh FEDORA-2018-ac1d9c2777", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_ac1d9c2777_zsh_fc27.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for zsh FEDORA-2018-ac1d9c2777\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874417\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-05-06 05:45:03 +0200 (Sun, 06 May 2018)\");\n script_cve_id(\"CVE-2018-1100\", \"CVE-2018-1083\", \"CVE-2018-1071\", \"CVE-2018-7549\",\n \"CVE-2018-7548\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for zsh FEDORA-2018-ac1d9c2777\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'zsh'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\non the target host.\");\n script_tag(name:\"affected\", value:\"zsh on Fedora 27\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"FEDORA\", value:\"2018-ac1d9c2777\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FG2P7HVEUA4US3FX5XFHINOCK5AKLJL4\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC27\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC27\")\n{\n\n if ((res = isrpmvuln(pkg:\"zsh\", rpm:\"zsh~5.4.1~3.fc27\", rls:\"FC27\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-11-23T15:03:23", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2018-10-03T00:00:00", "id": "OPENVAS:1361412562310851921", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851921", "title": "SuSE Update for zsh openSUSE-SU-2018:2966-1 (zsh)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_suse_2018_2966_1.nasl 12497 2018-11-23 08:28:21Z cfischer $\n#\n# SuSE Update for zsh openSUSE-SU-2018:2966-1 (zsh)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851921\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-10-03 08:06:44 +0200 (Wed, 03 Oct 2018)\");\n script_cve_id(\"CVE-2018-0502\", \"CVE-2018-1071\", \"CVE-2018-1083\", \"CVE-2018-1100\", \"CVE-2018-13259\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"SuSE Update for zsh openSUSE-SU-2018:2966-1 (zsh)\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'zsh'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"This update for zsh to version 5.6.2 fixes the following issues:\n\n These security issues were fixed:\n\n - CVE-2018-0502: The beginning of a #! script file was mishandled,\n potentially leading to an execve call to a program named on the second\n line (bsc#1107296)\n\n - CVE-2018-13259: Shebang lines exceeding 64 characters were truncated,\n potentially leading to an execve call to a program name that is a\n substring of the intended one (bsc#1107294)\n\n - CVE-2018-1100: Prevent stack-based buffer overflow in the\n utils.c:checkmailpath function that allowed local attackers to execute\n arbitrary code in the context of another user (bsc#1089030).\n\n - CVE-2018-1071: Prevent stack-based buffer overflow in the\n exec.c:hashcmd() function that allowed local attackers to cause a denial\n of service (bsc#1084656).\n\n - CVE-2018-1083: Prevent buffer overflow in the shell autocomplete\n functionality that allowed local unprivileged users to create a\n specially crafted directory path which lead to code execution in the\n context of the user who tries to use autocomplete to traverse the\n mentioned path (bsc#1087026).\n\n - Disallow evaluation of the initial values of integer variables imported\n from the environment\n\n These non-security issues were fixed:\n\n - Fixed that the signal SIGWINCH was being ignored when zsh is not in the\n foreground.\n\n - Fixed two regressions with pipelines getting backgrounded and emitting\n the signal SIGTTOU\n\n - The effect of the NO_INTERACTIVE_COMMENTS option extends into $(...) and\n `...` command substitutions when used on the command line.\n\n - The 'exec' and 'command' precommand modifiers, and options to them, are\n now parsed after parameter expansion.\n\n - Functions executed by ZLE widgets no longer have their standard input\n closed, but redirected from /dev/null instead.\n\n - There is an option WARN_NESTED_VAR, a companion to the existing\n WARN_CREATE_GLOBAL that causes a warning if a function updates a\n variable from an enclosing scope without using typeset -g.\n\n - zmodload now has an option -s to be silent on a failure to find a module\n but still print other errors.\n\n - Fix typo in chflags completion\n\n - Fixed invalid git commands completion\n\n - VCS info system: vcs_info git: Avoid a fork.\n\n - Fix handling of 'printf -' and 'printf --'\n\n - fix broken completion for filterdiff (boo#1019130)\n\n - Unicode9 support, this needs support from your terminal to work\n correctly.\n\n - The new word modifier ':P' computes the physical path of the argument.\n\n - The output of 'typeset -p' uses 'export' commands or the '-g'\n option for parameters that are not local to the cu ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n script_tag(name:\"affected\", value:\"zsh on openSUSE Leap 42.3\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2018:2966_1\");\n script_xref(name:\"URL\", value:\"http://lists.opensuse.org/opensuse-security-announce/2018-10/msg00001.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.3\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\nres = \"\";\n\nif(release == \"openSUSELeap42.3\")\n{\n\n if ((res = isrpmvuln(pkg:\"zsh\", rpm:\"zsh~5.6.2~9.6.1\", rls:\"openSUSELeap42.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"zsh-debuginfo\", rpm:\"zsh-debuginfo~5.6.2~9.6.1\", rls:\"openSUSELeap42.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"zsh-debugsource\", rpm:\"zsh-debugsource~5.6.2~9.6.1\", rls:\"openSUSELeap42.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"zsh-htmldoc\", rpm:\"zsh-htmldoc~5.6.2~9.6.1\", rls:\"openSUSELeap42.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-03-19T12:26:21", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-18T00:00:00", "published": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310843682", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843682", "title": "Ubuntu Update for zsh USN-3593-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3593_1.nasl 14288 2019-03-18 16:34:17Z cfischer $\n#\n# Ubuntu Update for zsh USN-3593-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843682\");\n script_version(\"$Revision: 14288 $\");\n script_cve_id(\"CVE-2014-10070\", \"CVE-2014-10071\", \"CVE-2014-10072\", \"CVE-2016-10714\", \"CVE-2017-18205\", \"CVE-2017-18206\", \"CVE-2018-7548\", \"CVE-2018-7549\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 17:34:17 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-10-26 06:06:19 +0200 (Fri, 26 Oct 2018)\");\n script_name(\"Ubuntu Update for zsh USN-3593-1\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|17\\.10|16\\.04 LTS)\");\n\n script_xref(name:\"USN\", value:\"3593-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3593-1/\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'zsh'\n package(s) announced via the USN-3593-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"It was discovered that Zsh incorrectly handled certain environment\nvariables. An attacker could possibly use this issue to gain privileged\naccess to the system. This issue only affected Ubuntu 14.04 LTS.\n(CVE-2014-10070)\n\nIt was discovered that Zsh incorrectly handled certain inputs.\nAn attacker could possibly use this to execute arbitrary code. This\nissue only affected Ubuntu 14.04 LTS. (CVE-2014-10071)\n\nIt was discovered that Zsh incorrectly handled some symbolic links.\nAn attacker could possibly use this to execute arbitrary code. This\nissue only affected Ubuntu 14.04 LTS. (CVE-2014-10072)\n\nIt was discovered that Zsh incorrectly handled certain errors. An\nattacker could possibly use this issue to cause a denial of service.\n(CVE-2016-10714)\n\nIt was discovered that Zsh incorrectly handled certain commands. An\nattacker could possibly use this to execute arbitrary code.\n(CVE-2017-18205)\n\nIt was discovered that Zsh incorrectly handled certain symlinks. An\nattacker could possibly use this to execute arbitrary code. This issue\nonly affected Ubuntu 16.04 LTS and Ubuntu 17.10. (CVE-2017-18206)\n\nIt was discovered that Zsh incorrectly handled certain inputs. An\nattacker could possible use to execute arbitrary code. This issue only\naffected Ubuntu 17.10. (CVE-2018-7548)\n\nIt was discovered that Zsh incorrectly handled certain inputs. An\nattacker could possibly use this to cause a denial of service.\n(CVE-2018-7549)\");\n\n script_tag(name:\"affected\", value:\"zsh on Ubuntu 17.10,\n Ubuntu 16.04 LTS,\n Ubuntu 14.04 LTS.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"zsh\", ver:\"5.0.2-3ubuntu6.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU17.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"zsh\", ver:\"5.2-5ubuntu1.1\", rls:\"UBUNTU17.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"zsh\", ver:\"5.1.1-1ubuntu2.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-03-18T14:23:13", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-09-15T00:00:00", "id": "OPENVAS:1361412562310875073", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310875073", "title": "Fedora Update for zsh FEDORA-2018-8b1b2373b4", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_8b1b2373b4_zsh_fc27.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for zsh FEDORA-2018-8b1b2373b4\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.875073\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-09-15 07:42:47 +0200 (Sat, 15 Sep 2018)\");\n script_cve_id(\"CVE-2018-0502\", \"CVE-2018-13259\", \"CVE-2018-1100\", \"CVE-2018-1083\",\n \"CVE-2018-1071\", \"CVE-2018-7549\", \"CVE-2018-7548\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for zsh FEDORA-2018-8b1b2373b4\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'zsh'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n script_tag(name:\"affected\", value:\"zsh on Fedora 27\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"FEDORA\", value:\"2018-8b1b2373b4\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/64LPWLVV3QWLOO2TDCVFNWSCDKA323PW\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC27\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC27\")\n{\n\n if ((res = isrpmvuln(pkg:\"zsh\", rpm:\"zsh~5.4.1~4.fc27\", rls:\"FC27\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-03-19T12:27:19", "bulletinFamily": "scanner", "description": "Two security vulnerabilities were discovered in the Z shell.\n\nCVE-2018-1071\nStack-based buffer overflow in the exec.c:hashcmd() function.\nA local attacker could exploit this to cause a denial of service.\n\nCVE-2018-1083\nBuffer overflow in the shell autocomplete functionality. A local\nunprivileged user can create a specially crafted directory path which\nleads to code execution in the context of the user who tries to use\nautocomplete to traverse the before mentioned path. If the user\naffected is privileged, this leads to privilege escalation.", "modified": "2019-03-18T00:00:00", "published": "2018-04-02T00:00:00", "id": "OPENVAS:1361412562310891335", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891335", "title": "Debian LTS Advisory ([SECURITY] [DLA 1335-1] zsh security update)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: deb_dla_1335.nasl 14281 2019-03-18 14:53:48Z cfischer $\n#\n# Auto-generated from advisory DLA 1335-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891335\");\n script_version(\"$Revision: 14281 $\");\n script_cve_id(\"CVE-2018-1071\", \"CVE-2018-1083\");\n script_name(\"Debian LTS Advisory ([SECURITY] [DLA 1335-1] zsh security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:53:48 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-04-02 00:00:00 +0200 (Mon, 02 Apr 2018)\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2018/03/msg00038.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n script_tag(name:\"affected\", value:\"zsh on Debian Linux\");\n script_tag(name:\"solution\", value:\"For Debian 7 'Wheezy', these problems have been fixed in version\n4.3.17-1+deb7u2.\n\nWe recommend that you upgrade your zsh packages.\");\n script_tag(name:\"summary\", value:\"Two security vulnerabilities were discovered in the Z shell.\n\nCVE-2018-1071\nStack-based buffer overflow in the exec.c:hashcmd() function.\nA local attacker could exploit this to cause a denial of service.\n\nCVE-2018-1083\nBuffer overflow in the shell autocomplete functionality. A local\nunprivileged user can create a specially crafted directory path which\nleads to code execution in the context of the user who tries to use\nautocomplete to traverse the before mentioned path. If the user\naffected is privileged, this leads to privilege escalation.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"zsh\", ver:\"4.3.17-1+deb7u2\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"zsh-dbg\", ver:\"4.3.17-1+deb7u2\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"zsh-dev\", ver:\"4.3.17-1+deb7u2\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"zsh-doc\", ver:\"4.3.17-1+deb7u2\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"zsh-static\", ver:\"4.3.17-1+deb7u2\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-03-19T12:26:10", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-18T00:00:00", "published": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310843689", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843689", "title": "Ubuntu Update for zsh USN-3608-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3608_1.nasl 14288 2019-03-18 16:34:17Z cfischer $\n#\n# Ubuntu Update for zsh USN-3608-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843689\");\n script_version(\"$Revision: 14288 $\");\n script_cve_id(\"CVE-2018-1071\", \"CVE-2018-1083\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 17:34:17 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-10-26 06:07:09 +0200 (Fri, 26 Oct 2018)\");\n script_name(\"Ubuntu Update for zsh USN-3608-1\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|17\\.10|16\\.04 LTS)\");\n\n script_xref(name:\"USN\", value:\"3608-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3608-1/\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'zsh'\n package(s) announced via the USN-3608-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Richard Maciel Costa discovered that Zsh incorrectly handled certain\ninputs. An attacker could possibly use this to cause a denial of\nservice. (CVE-2018-1071)\n\nIt was discovered that Zsh incorrectly handled certain files. An\nattacker could possibly use this to execute arbitrary code.\n(CVE-2018-1083)\");\n\n script_tag(name:\"affected\", value:\"zsh on Ubuntu 17.10,\n Ubuntu 16.04 LTS,\n Ubuntu 14.04 LTS.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"zsh\", ver:\"5.0.2-3ubuntu6.2\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU17.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"zsh\", ver:\"5.2-5ubuntu1.2\", rls:\"UBUNTU17.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"zsh\", ver:\"5.1.1-1ubuntu2.2\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-03-18T14:23:39", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-03-21T00:00:00", "id": "OPENVAS:1361412562310874260", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874260", "title": "Fedora Update for zsh FEDORA-2018-9cdf18a850", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_9cdf18a850_zsh_fc26.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for zsh FEDORA-2018-9cdf18a850\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874260\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-03-21 15:11:41 +0100 (Wed, 21 Mar 2018)\");\n script_cve_id(\"CVE-2018-7549\", \"CVE-2018-7548\", \"CVE-2017-18206\", \"CVE-2017-18205\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for zsh FEDORA-2018-9cdf18a850\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'zsh'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"zsh on Fedora 26\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"FEDORA\", value:\"2018-9cdf18a850\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUNBDW6WRGRSRQMK3KEMPX2RHYIILNRV\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC26\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC26\")\n{\n\n if ((res = isrpmvuln(pkg:\"zsh\", rpm:\"zsh~5.3.1~7.fc26\", rls:\"FC26\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "suse": [{"lastseen": "2018-04-27T01:37:58", "bulletinFamily": "unix", "description": "This update for zsh fixes the following issues:\n\n - CVE-2014-10070: environment variable injection could lead to local\n privilege escalation (bnc#1082885)\n - CVE-2014-10071: buffer overflow in exec.c could lead to denial of\n service. (bnc#1082977)\n - CVE-2014-10072: buffer overflow In utils.c when scanning very long\n directory paths for symbolic links. (bnc#1082975)\n - CVE-2016-10714: In zsh before 5.3, an off-by-one error resulted in\n undersized buffers that were intended to support PATH_MAX characters.\n (bnc#1083250)\n - CVE-2017-18205: In builtin.c when sh compatibility mode is used, a NULL\n pointer dereference could lead to denial of service (bnc#1082998)\n - CVE-2018-1071: exec.c:hashcmd() function vulnerability could lead to\n denial of service. (bnc#1084656)\n - CVE-2018-1083: Autocomplete vulnerability could lead to privilege\n escalation. (bnc#1087026)\n - CVE-2018-7549: In params.c in zsh through 5.4.2, there is a crash during\n a copy of an empty hash table, as demonstrated by typeset -p.\n (bnc#1082991)\n - CVE-2017-18206: buffer overrun in xsymlinks could lead to denial of\n service (bnc#1083002)\n - Autocomplete and REPORTTIME broken (bsc#896914)\n\n This update was imported from the SUSE:SLE-12:Update update project.\n\n", "modified": "2018-04-27T00:07:15", "published": "2018-04-27T00:07:15", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-04/msg00073.html", "id": "OPENSUSE-SU-2018:1093-1", "title": "Security update for zsh (important)", "type": "suse", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-04-25T19:36:39", "bulletinFamily": "unix", "description": "This update for zsh fixes the following issues:\n\n - CVE-2014-10070: environment variable injection could lead to local\n privilege escalation (bnc#1082885)\n\n - CVE-2014-10071: buffer overflow in exec.c could lead to denial of\n service. (bnc#1082977)\n\n - CVE-2014-10072: buffer overflow In utils.c when scanning very long\n directory paths for symbolic links. (bnc#1082975)\n\n - CVE-2016-10714: In zsh before 5.3, an off-by-one error resulted in\n undersized buffers that were intended to support PATH_MAX characters.\n (bnc#1083250)\n\n - CVE-2017-18205: In builtin.c when sh compatibility mode is used, a\n NULL pointer dereference could lead to denial of service (bnc#1082998)\n\n - CVE-2018-1071: exec.c:hashcmd() function vulnerability could lead to\n denial of service. (bnc#1084656)\n\n - CVE-2018-1083: Autocomplete vulnerability could lead to privilege\n escalation. (bnc#1087026)\n\n - CVE-2018-7549: In params.c in zsh through 5.4.2, there is a crash\n during a copy of an empty hash table, as demonstrated by typeset -p.\n (bnc#1082991)\n\n - CVE-2017-18206: buffer overrun in xsymlinks could lead to denial of\n service (bnc#1083002)\n\n - Autocomplete and REPORTTIME broken (bsc#896914)\n\n", "modified": "2018-04-25T18:07:15", "published": "2018-04-25T18:07:15", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-04/msg00070.html", "id": "SUSE-SU-2018:1072-1", "title": "Security update for zsh (important)", "type": "suse", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-07-06T01:46:30", "bulletinFamily": "unix", "description": "This update for zsh to version 5.5 fixes the following issues:\n\n Security issues fixed:\n\n - CVE-2018-1100: Fixes a buffer overflow in utils.c:checkmailpath() that\n can lead to local arbitrary code execution (bsc#1089030)\n - CVE-2018-1071: Fixed a stack-based buffer overflow in exec.c:hashcmd()\n (bsc#1084656)\n - CVE-2018-1083: Fixed a stack-based buffer overflow in\n gen_matches_files() at compctl.c (bsc#1087026)\n\n Non-security issues fixed:\n\n - The effect of the NO_INTERACTIVE_COMMENTS option extends into $(...) and\n `...` command substitutions when used on the command line.\n - The 'exec' and 'command' precommand modifiers, and options to them, are\n now parsed after parameter expansion.\n - Functions executed by ZLE widgets no longer have their standard input\n closed, but redirected from /dev/null instead.\n - There is an option WARN_NESTED_VAR, a companion to the existing\n WARN_CREATE_GLOBAL that causes a warning if a function updates a\n variable from an enclosing scope without using typeset -g.\n - zmodload now has an option -s to be silent on a failure to find a module\n but still print other errors.\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n", "modified": "2018-07-06T00:07:46", "published": "2018-07-06T00:07:46", "id": "OPENSUSE-SU-2018:1893-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-07/msg00000.html", "title": "Security update for zsh (moderate)", "type": "suse", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-02T14:23:14", "bulletinFamily": "unix", "description": "This update for zsh to version 5.6.2 fixes the following issues:\n\n These security issues were fixed:\n\n - CVE-2018-0502: The beginning of a #! script file was mishandled,\n potentially leading to an execve call to a program named on the second\n line (bsc#1107296)\n - CVE-2018-13259: Shebang lines exceeding 64 characters were truncated,\n potentially leading to an execve call to a program name that is a\n substring of the intended one (bsc#1107294)\n - CVE-2018-1100: Prevent stack-based buffer overflow in the\n utils.c:checkmailpath function that allowed local attackers to execute\n arbitrary code in the context of another user (bsc#1089030).\n - CVE-2018-1071: Prevent stack-based buffer overflow in the\n exec.c:hashcmd() function that allowed local attackers to cause a denial\n of service (bsc#1084656).\n - CVE-2018-1083: Prevent buffer overflow in the shell autocomplete\n functionality that allowed local unprivileged users to create a\n specially crafted directory path which lead to code execution in the\n context of the user who tries to use autocomplete to traverse the\n mentioned path (bsc#1087026).\n - Disallow evaluation of the initial values of integer variables imported\n from the environment\n\n These non-security issues were fixed:\n\n - Fixed that the signal SIGWINCH was being ignored when zsh is not in the\n foreground.\n - Fixed two regressions with pipelines getting backgrounded and emitting\n the signal SIGTTOU\n - The effect of the NO_INTERACTIVE_COMMENTS option extends into $(...) and\n `...` command substitutions when used on the command line.\n - The 'exec' and 'command' precommand modifiers, and options to them, are\n now parsed after parameter expansion.\n - Functions executed by ZLE widgets no longer have their standard input\n closed, but redirected from /dev/null instead.\n - There is an option WARN_NESTED_VAR, a companion to the existing\n WARN_CREATE_GLOBAL that causes a warning if a function updates a\n variable from an enclosing scope without using typeset -g.\n - zmodload now has an option -s to be silent on a failure to find a module\n but still print other errors.\n - Fix typo in chflags completion\n - Fixed invalid git commands completion\n - VCS info system: vcs_info git: Avoid a fork.\n - Fix handling of "printf -" and "printf --"\n - fix broken completion for filterdiff (boo#1019130)\n - Unicode9 support, this needs support from your terminal to work\n correctly.\n - The new word modifier ':P' computes the physical path of the argument.\n - The output of "typeset -p" uses "export" commands or the "-g"\n option for parameters that are not local to the current scope.\n - vi-repeat-change can repeat user-defined widgets if the widget calls zle\n -f vichange.\n - The parameter $registers now makes the contents of vi register buffers\n available to user-defined widgets.\n - New vi-up-case and vi-down-case builtin widgets bound to gU/gu (or U/u\n in visual mode) for doing case conversion.\n - A new select-word-match function provides vim-style text objects with\n configurable word boundaries using the existing match-words-by-style\n mechanism.\n - Support for the conditional expression [[ -v var ]] to test if a\n variable is set for compatibility with other shells.\n - The print and printf builtins have a new option -v to assign the\n output to a variable.\n - New x: syntax in completion match specifications make it possible to\n disable match specifications hardcoded in completion functions.\n - Re-add custom zshrc and zshenv to unbreak compatibility with old usage\n (boo#998858).\n - Read /etc/profile as zsh again.\n - The new module zsh/param/private can be loaded to allow the shell to\n define parameters that are private to a function scope (i.e. are not\n propagated to nested functions called within this function).\n - The GLOB_STAR_SHORT option allows the pattern **/* to be shortened to\n just ** if no / follows. so **.c searches recursively for a file whose\n name has the suffix ".c".\n - The effect of the WARN_CREATE_GLOBAL option has been significantly\n extended, so expect it to cause additional warning messages about\n parameters created globally within function scope.\n - The print builtin has new options -x and -X to expand tabs.\n - Several new command completions and numerous updates to others.\n - Options to "fc" to segregate internal and shared history.\n - All emulations including "sh" use multibyte by default; several repairs\n to multibyte handling.\n - ZLE supports "bracketed paste" mode to avoid interpreting pasted\n newlines as accept-line. Pastes can be highlighted for visibility and\n to make it more obvious whether accept-line has occurred.\n - Improved (though still not perfect) POSIX compatibility for getopts\n builtin when POSIX_BUILTINS is set.\n - New setopt APPEND_CREATE for POSIX-compatible NO_CLOBBER behavior.\n - Completion of date values now displays in a calendar format when the\n complist module is available. Controllable by zstyle.\n - New parameter UNDO_LIMIT_NO for more control over ZLE undo repeat.\n - Several repairs/improvements to the contributed narrow-to-region ZLE\n function.\n - Many changes to child-process and signal handling to eliminate race\n conditions and avoid deadlocks on descriptor and memory management.\n - New builtin sysopen in zsh/system module for detailed control of file\n descriptor modes.\n - Fix a printf regression boo#934175\n - Global aliases can be created for syntactic tokens such as command\n separators (";", "&", "|", "&&", "||"), redirection operators, etc.\n - There have been various further improvements to builtin handling with\n the POSIX_BUILTINS option (off by default) for compatibility with the\n POSIX standard.\n - 'whence -v' is now more informative, and 'whence -S' shows you how a\n full chain of symbolic links resolves to a command.\n - The 'p' parameter flag now allows an argument to be specified as a\n reference to a variable, e.g. ${(ps.$sep.)foo} to split $foo\n on a string given by $sep.\n - The option FORCE_FLOAT now forces variables, not just constants, to\n floating point in arithmetic expressions.\n - The type of an assignment in arithmetic expressions, e.g. the type seen\n by the variable res in $(( res = a = b )), is now more logical and\n C-like.\n - The default binding of 'u' in vi command mode has changed to undo\n multiple changes when invoked repeatedly. '^R' is now bound to redo\n changes. To revert to toggling of the last edit use: bindkey -a u\n vi-undo-change\n - Compatibility with Vim has been improved for vi editing mode. Most\n notably, Vim style text objects are supported and the region can be\n manipulated with vi commands in the same manner as Vim's visual mode.\n - Elements of the watch variable may now be patterns.\n - The logic for retrying history locking has been improved.\n - Fix openSUSE versions in osc completion\n - Add back rpm completion file (boo#900424)\n\n", "modified": "2018-10-02T12:07:57", "published": "2018-10-02T12:07:57", "id": "OPENSUSE-SU-2018:2966-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-10/msg00001.html", "title": "Security update for zsh (important)", "type": "suse", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "gentoo": [{"lastseen": "2018-05-28T01:37:21", "bulletinFamily": "unix", "description": "### Background\n\nA shell designed for interactive use, although it is also a powerful scripting language. \n\n### Description\n\nMultiple vulnerabilities have been discovered in Zsh. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA local attacker could execute arbitrary code, escalate privileges, or cause a Denial of Service condition. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Zsh users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-shells/zsh-5.5\"", "modified": "2018-05-26T00:00:00", "published": "2018-05-26T00:00:00", "id": "GLSA-201805-10", "href": "https://security.gentoo.org/glsa/201805-10", "title": "Zsh: Multiple vulnerabilities", "type": "gentoo", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "slackware": [{"lastseen": "2019-01-14T09:41:41", "bulletinFamily": "unix", "description": "New zsh packages are available for Slackware 14.0, 14.1, and 14.2 to\nfix security issues.\n\n\nHere are the details from the Slackware 14.2 ChangeLog:\n\npatches/packages/zsh-5.6.2-i586-1_slack14.2.txz: Upgraded.\n This release fixes security issues, including ones that could allow a local\n attacker to execute arbitrary code.\n For more information, see:\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18205\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18206\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1071\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1083\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1100\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7548\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7549\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the "Get Slack" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/zsh-5.6.2-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/zsh-5.6.2-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/zsh-5.6.2-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/zsh-5.6.2-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/zsh-5.6.2-i586-1_slack14.2.txz\n\nUpdated package for Slackware x86_64 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/zsh-5.6.2-x86_64-1_slack14.2.txz\n\n\nMD5 signatures:\n\nSlackware 14.0 package:\neee31011db16ee065279399d58de4c2b zsh-5.6.2-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\n766df0eb186d95362a78ae523b83f7d2 zsh-5.6.2-x86_64-1_slack14.0.txz\n\nSlackware 14.1 package:\n7c376a74372346613fa58296b5a43158 zsh-5.6.2-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\n80cee93fdaa1d7d526c2056b0c374ba5 zsh-5.6.2-x86_64-1_slack14.1.txz\n\nSlackware 14.2 package:\n01e67f2f735ffb022890a1adb8318b6b zsh-5.6.2-i586-1_slack14.2.txz\n\nSlackware x86_64 14.2 package:\n5e5676c283d4267057eeef2a573dae00 zsh-5.6.2-x86_64-1_slack14.2.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg zsh-5.6.2-i586-1_slack14.2.txz", "modified": "2019-01-13T20:33:07", "published": "2019-01-13T20:33:07", "id": "SSA-2019-013-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2019&m=slackware-security.407621", "title": "zsh", "type": "slackware", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "ubuntu": [{"lastseen": "2018-08-31T00:09:41", "bulletinFamily": "unix", "description": "It was discovered that Zsh incorrectly handled certain enviroment variables. An attacker could possibly use this issue to gain privileged access to the system. This issue only affected Ubuntu 14.04 LTS. (CVE-2014-10070)\n\nIt was discovered that Zsh incorrectly handled certain inputs. An attacker could possibly use this to execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2014-10071)\n\nIt was discovered that Zsh incorrectly handled some symbolic links. An attacker could possibly use this to execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2014-10072)\n\nIt was discovered that Zsh incorrectly handled certain errors. An attacker could possibly use this issue to cause a denial of service. (CVE-2016-10714)\n\nIt was discovered that Zsh incorrectly handled certain commands. An attacker could possibly use this to execute arbitrary code. (CVE-2017-18205)\n\nIt was discovered that Zsh incorrectly handled certain symlinks. An attacker could possibly use this to execute arbitrary code. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.10. (CVE-2017-18206)\n\nIt was discovered that Zsh incorrectly handled certain inputs. An attacker could possible use to execute arbitrary code. This issue only affected Ubuntu 17.10. (CVE-2018-7548)\n\nIt was discovered that Zsh incorrectly handled certain inputs. An attacker could possibly use this to cause a denial of service. (CVE-2018-7549)", "modified": "2018-03-08T00:00:00", "published": "2018-03-08T00:00:00", "id": "USN-3593-1", "href": "https://usn.ubuntu.com/3593-1/", "title": "Zsh vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T00:09:43", "bulletinFamily": "unix", "description": "Richard Maciel Costa discovered that Zsh incorrectly handled certain inputs. An attacker could possibly use this to cause a denial of service. (CVE-2018-1071)\n\nIt was discovered that Zsh incorrectly handled certain files. An attacker could possibly use this to execute arbitrary code. (CVE-2018-1083)", "modified": "2018-03-27T00:00:00", "published": "2018-03-27T00:00:00", "id": "USN-3608-1", "href": "https://usn.ubuntu.com/3608-1/", "title": "Zsh vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-30T12:06:29", "bulletinFamily": "unix", "description": "It was discovered that Zsh incorrectly handled certain scripts. An attacker could possibly use this issue to execute arbitrary code. (CVE-2018-0502, CVE-2018-13259)\n\nRichard Maciel Costa discovered that Zsh incorrectly handled certain scripts. An attacker could possibly use this issue to execute arbitrary code. (CVE-2018-1100)", "modified": "2018-09-11T00:00:00", "published": "2018-09-11T00:00:00", "id": "USN-3764-1", "href": "https://usn.ubuntu.com/3764-1/", "title": "Zsh vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
