SUSE 5153 Published by

Updated zsh packages has been released for openSUSE Leap 42.3 to fix five vulnerabilities



openSUSE Security Update: Security update for zsh
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2966-1
Rating: important
References: #1019130 #1084656 #1087026 #1089030 #1107294
#1107296 #900424 #934175 #998858
Cross-References: CVE-2018-0502 CVE-2018-1071 CVE-2018-1083
CVE-2018-1100 CVE-2018-13259
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that solves 5 vulnerabilities and has four fixes
is now available.

Description:

This update for zsh to version 5.6.2 fixes the following issues:

These security issues were fixed:

- CVE-2018-0502: The beginning of a #! script file was mishandled,
potentially leading to an execve call to a program named on the second
line (bsc#1107296)
- CVE-2018-13259: Shebang lines exceeding 64 characters were truncated,
potentially leading to an execve call to a program name that is a
substring of the intended one (bsc#1107294)
- CVE-2018-1100: Prevent stack-based buffer overflow in the
utils.c:checkmailpath function that allowed local attackers to execute
arbitrary code in the context of another user (bsc#1089030).
- CVE-2018-1071: Prevent stack-based buffer overflow in the
exec.c:hashcmd() function that allowed local attackers to cause a denial
of service (bsc#1084656).
- CVE-2018-1083: Prevent buffer overflow in the shell autocomplete
functionality that allowed local unprivileged users to create a
specially crafted directory path which lead to code execution in the
context of the user who tries to use autocomplete to traverse the
mentioned path (bsc#1087026).
- Disallow evaluation of the initial values of integer variables imported
from the environment

These non-security issues were fixed:

- Fixed that the signal SIGWINCH was being ignored when zsh is not in the
foreground.
- Fixed two regressions with pipelines getting backgrounded and emitting
the signal SIGTTOU
- The effect of the NO_INTERACTIVE_COMMENTS option extends into $(...) and
`...` command substitutions when used on the command line.
- The 'exec' and 'command' precommand modifiers, and options to them, are
now parsed after parameter expansion.
- Functions executed by ZLE widgets no longer have their standard input
closed, but redirected from /dev/null instead.
- There is an option WARN_NESTED_VAR, a companion to the existing
WARN_CREATE_GLOBAL that causes a warning if a function updates a
variable from an enclosing scope without using typeset -g.
- zmodload now has an option -s to be silent on a failure to find a module
but still print other errors.
- Fix typo in chflags completion
- Fixed invalid git commands completion
- VCS info system: vcs_info git: Avoid a fork.
- Fix handling of "printf -" and "printf --"
- fix broken completion for filterdiff (boo#1019130)
- Unicode9 support, this needs support from your terminal to work
correctly.
- The new word modifier ':P' computes the physical path of the argument.
- The output of "typeset -p" uses "export" commands or the "-g"
option for parameters that are not local to the current scope.
- vi-repeat-change can repeat user-defined widgets if the widget calls zle
-f vichange.
- The parameter $registers now makes the contents of vi register buffers
available to user-defined widgets.
- New vi-up-case and vi-down-case builtin widgets bound to gU/gu (or U/u
in visual mode) for doing case conversion.
- A new select-word-match function provides vim-style text objects with
configurable word boundaries using the existing match-words-by-style
mechanism.
- Support for the conditional expression [[ -v var ]] to test if a
variable is set for compatibility with other shells.
- The print and printf builtins have a new option -v to assign the
output to a variable.
- New x: syntax in completion match specifications make it possible to
disable match specifications hardcoded in completion functions.
- Re-add custom zshrc and zshenv to unbreak compatibility with old usage
(boo#998858).
- Read /etc/profile as zsh again.
- The new module zsh/param/private can be loaded to allow the shell to
define parameters that are private to a function scope (i.e. are not
propagated to nested functions called within this function).
- The GLOB_STAR_SHORT option allows the pattern **/* to be shortened to
just ** if no / follows. so **.c searches recursively for a file whose
name has the suffix ".c".
- The effect of the WARN_CREATE_GLOBAL option has been significantly
extended, so expect it to cause additional warning messages about
parameters created globally within function scope.
- The print builtin has new options -x and -X to expand tabs.
- Several new command completions and numerous updates to others.
- Options to "fc" to segregate internal and shared history.
- All emulations including "sh" use multibyte by default; several repairs
to multibyte handling.
- ZLE supports "bracketed paste" mode to avoid interpreting pasted
newlines as accept-line. Pastes can be highlighted for visibility and
to make it more obvious whether accept-line has occurred.
- Improved (though still not perfect) POSIX compatibility for getopts
builtin when POSIX_BUILTINS is set.
- New setopt APPEND_CREATE for POSIX-compatible NO_CLOBBER behavior.
- Completion of date values now displays in a calendar format when the
complist module is available. Controllable by zstyle.
- New parameter UNDO_LIMIT_NO for more control over ZLE undo repeat.
- Several repairs/improvements to the contributed narrow-to-region ZLE
function.
- Many changes to child-process and signal handling to eliminate race
conditions and avoid deadlocks on descriptor and memory management.
- New builtin sysopen in zsh/system module for detailed control of file
descriptor modes.
- Fix a printf regression boo#934175
- Global aliases can be created for syntactic tokens such as command
separators (";", "&", "|", "&&", "||"), redirection operators, etc.
- There have been various further improvements to builtin handling with
the POSIX_BUILTINS option (off by default) for compatibility with the
POSIX standard.
- 'whence -v' is now more informative, and 'whence -S' shows you how a
full chain of symbolic links resolves to a command.
- The 'p' parameter flag now allows an argument to be specified as a
reference to a variable, e.g. ${(ps.$sep.)foo} to split $foo
on a string given by $sep.
- The option FORCE_FLOAT now forces variables, not just constants, to
floating point in arithmetic expressions.
- The type of an assignment in arithmetic expressions, e.g. the type seen
by the variable res in $(( res = a = b )), is now more logical and
C-like.
- The default binding of 'u' in vi command mode has changed to undo
multiple changes when invoked repeatedly. '^R' is now bound to redo
changes. To revert to toggling of the last edit use: bindkey -a u
vi-undo-change
- Compatibility with Vim has been improved for vi editing mode. Most
notably, Vim style text objects are supported and the region can be
manipulated with vi commands in the same manner as Vim's visual mode.
- Elements of the watch variable may now be patterns.
- The logic for retrying history locking has been improved.
- Fix openSUSE versions in osc completion
- Add back rpm completion file (boo#900424)


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-1094=1



Package List:

- openSUSE Leap 42.3 (x86_64):

zsh-5.6.2-9.6.1
zsh-debuginfo-5.6.2-9.6.1
zsh-debugsource-5.6.2-9.6.1
zsh-htmldoc-5.6.2-9.6.1


References:

https://www.suse.com/security/cve/CVE-2018-0502.html
https://www.suse.com/security/cve/CVE-2018-1071.html
https://www.suse.com/security/cve/CVE-2018-1083.html
https://www.suse.com/security/cve/CVE-2018-1100.html
https://www.suse.com/security/cve/CVE-2018-13259.html
https://bugzilla.suse.com/1019130
https://bugzilla.suse.com/1084656
https://bugzilla.suse.com/1087026
https://bugzilla.suse.com/1089030
https://bugzilla.suse.com/1107294
https://bugzilla.suse.com/1107296
https://bugzilla.suse.com/900424
https://bugzilla.suse.com/934175
https://bugzilla.suse.com/998858

--
  Zsh Security Update for openSUSE Leap 42.3