Debian Long Term Support / LTS Security Information / 2018 / Security Information -- DLA-1304-1 zsh

Debian Security Advisory

DLA-1304-1 zsh -- LTS security update

Date Reported:

09 Mar 2018

Affected Packages:

zsh

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2014-10070, CVE-2014-10071, CVE-2014-10072, CVE-2016-10714, CVE-2017-18206.

More information:

It was discovered that there were multiple vulnerabilities in the zsh shell:

• CVE-2014-10070

  Fix a privilege-elevation issue if the environment has not been properly sanitized.

• CVE-2014-10071

  Prevent a buffer overflow for very long file descriptors in the >& fd syntax.

• CVE-2014-10072

  Correct a buffer overflow when scanning very long directory paths for symbolic links.

• CVE-2016-10714

  Fix an off-by-one error that was resulting in undersized buffers that were intended to support PATH_MAX.

• CVE-2017-18206

  Fix a buffer overflow in symlink expansion.

For Debian 7 Wheezy, this issue has been fixed in zsh version 4.3.17-1+deb7u1.

We recommend that you upgrade your zsh packages.