CVE-2018-1083 – zsh: Stack-based buffer overflow in gen_matches_files() at compctl.c
https://notcve.org/view.php?id=CVE-2018-1083
Zsh before version 5.4.2-test-1 is vulnerable to a buffer overflow in the shell autocomplete functionality. A local unprivileged user can create a specially crafted directory path which leads to code execution in the context of the user who tries to use autocomplete to traverse the before mentioned path. If the user affected is privileged, this leads to privilege escalation. Zsh en versiones anteriores a la 5.4.2-test-1 es vulnerable a un desbordamiento de búfer en la funcionalidad de autocompletar del shell. Un usuario local sin privilegios puede crear una ruta de directorio especialmente manipulada que dé lugar a la ejecución de código en el contexto de un usuario que trata de emplear el autocompletado para crear un salto de directorio a la localización mencionada. • http://www.securityfocus.com/bid/103572 https://access.redhat.com/errata/RHSA-2018:1932 https://access.redhat.com/errata/RHSA-2018:3073 https://bugzilla.redhat.com/show_bug.cgi?id=1557382 https://lists.debian.org/debian-lts-announce/2018/03/msg00038.html https://lists.debian.org/debian-lts-announce/2020/12/msg00000.html https://security.gentoo.org/glsa/201805-10 https://sourceforge.net/p/zsh/code/ci/259ac472eac291c8c103c7a0d8a4eaf3c2942ed7 https://usn.ubuntu.com/3608-1 https:/& • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-121: Stack-based Buffer Overflow •
CVE-2018-1071 – zsh: Stack-based buffer overflow in exec.c:hashcmd()
https://notcve.org/view.php?id=CVE-2018-1071
zsh through version 5.4.2 is vulnerable to a stack-based buffer overflow in the exec.c:hashcmd() function. A local attacker could exploit this to cause a denial of service. zsh, hasta la versión 5.4.2, es vulnerable a un desbordamiento de búfer basado en pila en la función exec.c:hashcmd(). Un atacante local podría explotar esta vulnerabilidad para provocar una denegación de servicio (DoS). • http://www.securityfocus.com/bid/103359 https://access.redhat.com/errata/RHSA-2018:3073 https://bugzilla.redhat.com/show_bug.cgi?id=1553531 https://lists.debian.org/debian-lts-announce/2018/03/msg00038.html https://lists.debian.org/debian-lts-announce/2020/12/msg00000.html https://security.gentoo.org/glsa/201805-10 https://usn.ubuntu.com/3608-1 https://access.redhat.com/security/cve/CVE-2018-1071 • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVE-2017-18206 – zsh: buffer overrun in symlinks
https://notcve.org/view.php?id=CVE-2017-18206
In utils.c in zsh before 5.4, symlink expansion had a buffer overflow. En utils.c en zsh, en versiones anteriores a la 5.4, la expansión symlink tiene un desbordamiento de búfer. A buffer overflow flaw was found in the zsh shell symbolic link resolver. A local, unprivileged user can create a specially crafted directory path which leads to a buffer overflow in the context of the user trying to do a symbolic link resolution in the aforementioned path. If the user affected is privileged, this leads to privilege escalation. • https://access.redhat.com/errata/RHSA-2018:1932 https://access.redhat.com/errata/RHSA-2018:3073 https://lists.debian.org/debian-lts-announce/2020/12/msg00000.html https://security.gentoo.org/glsa/201805-10 https://sourceforge.net/p/zsh/code/ci/c7a9cf465dd620ef48d586026944d9bd7a0d5d6d https://usn.ubuntu.com/3593-1 https://access.redhat.com/security/cve/CVE-2017-18206 https://bugzilla.redhat.com/show_bug.cgi?id=1549861 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-121: Stack-based Buffer Overflow •
CVE-2016-10714
https://notcve.org/view.php?id=CVE-2016-10714
In zsh before 5.3, an off-by-one error resulted in undersized buffers that were intended to support PATH_MAX characters. En zsh, en versiones anteriores a la 5.3, un error por un paso resulta en búfers de tamaño menor al esperado que debían soportar caracteres PATH_MAX. • https://sourceforge.net/p/zsh/code/ci/a62e1640bcafbb82d86ea8d8ce057a83c4683d60 https://usn.ubuntu.com/3593-1 • CWE-189: Numeric Errors •
CVE-2014-10070
https://notcve.org/view.php?id=CVE-2014-10070
zsh before 5.0.7 allows evaluation of the initial values of integer variables imported from the environment (instead of treating them as literal numbers). That could allow local privilege escalation, under some specific and atypical conditions where zsh is being invoked in privilege-elevation contexts when the environment has not been properly sanitized, such as when zsh is invoked by sudo on systems where "env_reset" has been disabled. zsh, en versiones anteriores a la 5.0.7, permite la evaluación de los valores- iniciales de las variables de enteros importadas del entorno (en lugar de tratarlas como números literales). Esto podría permitir el escalado de privilegios local, bajo ciertas condiciones específicas y atípicas, cuando zsh se está invocando en contextos de elevación de privilegios en los que el entorno no se ha saneado correctamente, como cuando zsh se invoca en sistemas en los que se ha deshabilitado "env_reset". • http://zsh.sourceforge.net/releases.html https://sourceforge.net/p/zsh/code/ci/546203a770cec329e73781c3c8ab1078390aee72 https://usn.ubuntu.com/3593-1 • CWE-264: Permissions, Privileges, and Access Controls •