rpms / zsh

Clone
Source Code
GIT

Blame SOURCES/zsh-5.0.2-CVE-2018-1071.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta c9s-sig-hyperscale
  1.   4958351fe94d3e3c0f074b5fa4b9aae779d42b8e
  2.   SOURCES
  3.   zsh-5.0.2-CVE-2018-1071.patch
Blob History Raw
da6346 
From c3fec0b136d938704d8b0ba82424eea8d17f86ab Mon Sep 17 00:00:00 2001
da6346 
From: Oliver Kiddle <okiddle@yahoo.co.uk>
da6346 
Date: Sat, 24 Mar 2018 15:02:41 +0100
104d6b 
Subject: [PATCH 1/2] 42518, CVE-2018-1071: check bounds when copying path in
da6346 
 hashcmd()
da6346
da6346 
Upstream-commit: 679b71ec4d852037fe5f73d35bf557b0f406c8d4
da6346 
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
da6346 
---
da6346 
 Src/exec.c  | 2 +-
da6346 
 Src/utils.c | 6 +++---
da6346 
 2 files changed, 4 insertions(+), 4 deletions(-)
da6346
da6346 
diff --git a/Src/exec.c b/Src/exec.c
da6346 
index 6d47935..b9ffb35 100644
da6346 
--- a/Src/exec.c
da6346 
+++ b/Src/exec.c
da6346 
@@ -860,7 +860,7 @@ hashcmd(char *arg0, char **pp)
da6346 
     for (; *pp; pp++)
da6346 
 	if (**pp == '/') {
da6346 
 	    s = buf;
da6346 
-	    strucpy(&s, *pp);
da6346 
+	    struncpy(&s, *pp, PATH_MAX);
da6346 
 	    *s++ = '/';
da6346 
 	    if ((s - buf) + strlen(arg0) >= PATH_MAX)
da6346 
 		continue;
da6346 
diff --git a/Src/utils.c b/Src/utils.c
da6346 
index 391d020..c6eba63 100644
da6346 
--- a/Src/utils.c
da6346 
+++ b/Src/utils.c
495835 
@@ -2010,10 +2010,10 @@ struncpy(char **s, char *t, int n)
da6346 
 {
da6346 
     char *u = *s;
da6346
da6346 
-    while (n--)
da6346 
-	*u++ = *t++;
da6346 
+    while (n-- && (*u++ = *t++));
da6346 
     *s = u;
da6346 
-    *u = '\0';
da6346 
+    if (n > 0) /* just one null-byte will do, unlike strncpy(3) */
da6346 
+	*u = '\0';
da6346 
 }
da6346
da6346 
 /* Return the number of elements in an array of pointers. *
da6346 
--
da6346 
2.14.3
da6346
104d6b
104d6b 
From 88b8110331ac616a8450fab0b87a65df715ee3a8 Mon Sep 17 00:00:00 2001
104d6b 
From: Oliver Kiddle <okiddle@yahoo.co.uk>
104d6b 
Date: Wed, 28 Mar 2018 09:00:58 +0200
104d6b 
Subject: [PATCH 2/2] 42539: prevent overflow of PATH_MAX-sized buffer in
104d6b 
 spelling correction
104d6b
104d6b 
Upstream-commit: c053c6a0799397632df9ba88f8812a1da49c67f1
104d6b 
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
104d6b 
---
104d6b 
 Src/utils.c | 14 +++++++++-----
104d6b 
 1 file changed, 9 insertions(+), 5 deletions(-)
104d6b
104d6b 
diff --git a/Src/utils.c b/Src/utils.c
104d6b 
index 3989c8c..bac12a9 100644
104d6b 
--- a/Src/utils.c
104d6b 
+++ b/Src/utils.c
495835 
@@ -2010,7 +2010,8 @@ struncpy(char **s, char *t, int n)
104d6b 
 {
104d6b 
     char *u = *s;
104d6b
104d6b 
-    while (n-- && (*u++ = *t++));
104d6b 
+    while (n-- && (*u = *t++))
104d6b 
+	u++;
104d6b 
     *s = u;
104d6b 
     if (n > 0) /* just one null-byte will do, unlike strncpy(3) */
104d6b 
 	*u = '\0';
495835 
@@ -3745,17 +3746,20 @@ spname(char *oldname)
104d6b 
 	     * odd to the human reader, and we may make use of the total  *
104d6b 
 	     * distance for all corrections at some point in the future.  */
104d6b 
 	    if (bestdist < maxthresh) {
104d6b 
-		strcpy(new, spnameguess);
104d6b 
-		strcat(new, old);
104d6b 
-		return newname;
104d6b 
+		struncpy(&new, spnameguess, sizeof(newname) - (new - newname));
104d6b 
+		struncpy(&new, old, sizeof(newname) - (new - newname));
104d6b 
+		return (new - newname) >= (sizeof(newname)-1) ? NULL : newname;
104d6b 
 	    } else
104d6b 
 	    	return NULL;
104d6b 
 	} else {
104d6b 
 	    maxthresh = bestdist + thresh;
104d6b 
 	    bestdist += thisdist;
104d6b 
 	}
104d6b 
-	for (p = spnamebest; (*new = *p++);)
104d6b 
+	for (p = spnamebest; (*new = *p++);) {
104d6b 
+	    if ((new - newname) >= (sizeof(newname)-1))
104d6b 
+		return NULL;
104d6b 
 	    new++;
104d6b 
+	}
104d6b 
     }
104d6b 
 }
104d6b
104d6b 
--
104d6b 
2.17.2
104d6b

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation