From ddb6c5b4c0ab9c6a7404112d367f0c7cc400ceec Mon Sep 17 00:00:00 2001

From: Anthony Sottile <asottile@umich.edu>

Date: Mon, 3 Sep 2018 14:39:25 +0000

Subject: [PATCH] CVE-2018-0502, CVE-2018-13259: Fix two security issues in

 shebang line parsing.

See NEWS for more information.

Patch by Anthony Sottile and Buck Evan.

Upstream-commit: 1c4c7b6a4d17294df028322b70c53803a402233d

Signed-off-by: Kamil Dudka <kdudka@redhat.com>

---

 Etc/FAQ.yo             |  2 +-

 Src/exec.c             | 36 ++++++++++++++++++++----------------

 Test/A05execution.ztst | 22 ++++++++++++++++++++++

 3 files changed, 43 insertions(+), 17 deletions(-)

diff --git a/Etc/FAQ.yo b/Etc/FAQ.yo

index 72ff7fa..8552fe7 100644

--- a/Etc/FAQ.yo

+++ b/Etc/FAQ.yo

@@ -306,7 +306,7 @@ sect(On what machines will it run?)

 sect(What's the latest version?)

-  Zsh 5.5.1 is the latest production version.  For details of all the

+  Zsh 5.6 is the latest production version.  For details of all the

   changes, see the NEWS file in the source distribution.

   A beta of the next version is sometimes available.  Development of zsh is

diff --git a/Src/exec.c b/Src/exec.c

index 216057a..0908a1a 100644

--- a/Src/exec.c

+++ b/Src/exec.c

@@ -453,7 +453,7 @@ execcursh(Estate state, int do_exec)

 /* execve after handling $_ and #! */

-#define POUNDBANGLIMIT 64

+#define POUNDBANGLIMIT 128

 /**/

 static int

@@ -494,18 +494,20 @@ zexecve(char *pth, char **argv, char **newenvp)

 	if ((fd = open(pth, O_RDONLY|O_NOCTTY)) >= 0) {

 	    argv0 = *argv;

 	    *argv = pth;

-	    execvebuf[0] = '\0';

+	    memset(execvebuf, '\0', POUNDBANGLIMIT + 1);

 	    ct = read(fd, execvebuf, POUNDBANGLIMIT);

 	    close(fd);

 	    if (ct >= 0) {

-		if (execvebuf[0] == '#') {

-		    if (execvebuf[1] == '!') {

-			for (t0 = 0; t0 != ct; t0++)

-			    if (execvebuf[t0] == '\n')

-				break;

+		if (ct >= 2 && execvebuf[0] == '#' && execvebuf[1] == '!') {

+		    for (t0 = 0; t0 != ct; t0++)

+			if (execvebuf[t0] == '\n')

+			    break;

+		    if (t0 == ct)

+			zerr("%s: bad interpreter: %s: %e", pth,

+			     execvebuf + 2, eno);

+		    else {

 			while (inblank(execvebuf[t0]))

 			    execvebuf[t0--] = '\0';

-			execvebuf[POUNDBANGLIMIT] = '\0';

 			for (ptr = execvebuf + 2; *ptr && *ptr == ' '; ptr++);

 			for (ptr2 = ptr; *ptr && *ptr != ' '; ptr++);

 			if (eno == ENOENT) {

@@ -514,10 +516,16 @@ zexecve(char *pth, char **argv, char **newenvp)

 				*ptr = '\0';

 			    if (*ptr2 != '/' &&

 				(pprog = pathprog(ptr2, NULL))) {

-				argv[-2] = ptr2;

-				argv[-1] = ptr + 1;

-				winch_unblock();

-				execve(pprog, argv - 2, newenvp);

+				if (ptr == execvebuf + t0 + 1) {

+				    argv[-1] = ptr2;

+				    winch_unblock();

+				    execve(pprog, argv - 1, newenvp);

+				} else {

+				    argv[-2] = ptr2;

+				    argv[-1] = ptr + 1;

+				    winch_unblock();

+				    execve(pprog, argv - 2, newenvp);

+				}

 			    }

 			    zerr("%s: bad interpreter: %s: %e", pth, ptr2,

 				 eno);

@@ -532,10 +540,6 @@ zexecve(char *pth, char **argv, char **newenvp)

 			    winch_unblock();

 			    execve(ptr2, argv - 1, newenvp);

 			}

-		    } else if (eno == ENOEXEC) {

-			argv[-1] = "sh";

-			winch_unblock();

-			execve("/bin/sh", argv - 1, newenvp);

 		    }

 		} else if (eno == ENOEXEC) {

 		    for (t0 = 0; t0 != ct; t0++)

diff --git a/Test/A05execution.ztst b/Test/A05execution.ztst

index 0804691..fb39d05 100644

--- a/Test/A05execution.ztst

+++ b/Test/A05execution.ztst

@@ -12,7 +12,14 @@

   print '#!/bin/sh\necho This is dir2' >dir2/tstcmd

+  print -n '#!sh\necho This is slashless' >tstcmd-slashless

+  print -n '#!echo foo\necho This is arg' >tstcmd-arg

+  print '#!xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxnyyy' >tstcmd-interp-too-long

+  print '#!/bin/sh\necho should not execute; exit 1' >xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxn

+

   chmod 755 tstcmd dir1/tstcmd dir2/tstcmd

+  chmod 755 tstcmd-slashless tstcmd-arg tstcmd-interp-too-long

+  chmod 755 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxn

 %test

   ./tstcmd

@@ -33,6 +40,21 @@

 0:path (2)

 >This is top

+  PATH=/bin:${ZTST_testdir}/command.tmp/ tstcmd-slashless

+0:path (3)

+>This is slashless

+

+  PATH=/bin:${ZTST_testdir}/command.tmp tstcmd-arg

+0:path (4)

+*>foo */command.tmp/tstcmd-arg

+

+  path=(/bin ${ZTST_testdir}/command.tmp/)

+  tstcmd-interp-too-long 2>&1; echo "status $?"

+  path=($storepath)

+0:path (5)

+*>*tstcmd-interp-too-long: bad interpreter: x*xn: no such file or directory

+>status 127

+

   functst() { print $# arguments:; print -l $*; }

   functst "Eines Morgens" "als Gregor Samsa"

   functst ""

-- 

2.17.1