rpms / zsh

Clone
Source Code
GIT

Files

c4 c5 c5-plus c6 c6-plus c7 c7-alt c8-beta f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f7 f8 f9 master private-kdudka-zsh-5.3.1-test-2
  1.   c7
  2.   SOURCES
  3.   zsh-5.0.2-CVE-2018-1100.patch
Blob Blame History Raw 
From 7f28151c0b6bca5cb60f56e9a17ccb2fd9665269 Mon Sep 17 00:00:00 2001
From: Oliver Kiddle <okiddle@yahoo.co.uk>
Date: Sat, 7 Apr 2018 18:28:38 +0200
Subject: [PATCH] 42607, CVE-2018-1100: check bounds on buffer in mail checking

Upstream-commit: 31f72205630687c1cef89347863aab355296a27f
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
 Src/utils.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/Src/utils.c b/Src/utils.c
index c6eba63..41ec45c 100644
--- a/Src/utils.c
+++ b/Src/utils.c
@@ -1414,7 +1414,7 @@ checkmailpath(char **s)
 	    LinkList l;
 	    DIR *lock = opendir(unmeta(*s));
 	    char buf[PATH_MAX * 2], **arr, **ap;
-	    int ct = 1;
+	    int buflen, ct = 1;
 
 	    if (lock) {
 		char *fn;
@@ -1423,9 +1423,11 @@ checkmailpath(char **s)
 		l = newlinklist();
 		while ((fn = zreaddir(lock, 1)) && !errflag) {
 		    if (u)
-			sprintf(buf, "%s/%s?%s", *s, fn, u);
+			buflen = snprintf(buf, sizeof(buf), "%s/%s?%s", *s, fn, u);
 		    else
-			sprintf(buf, "%s/%s", *s, fn);
+			buflen = snprintf(buf, sizeof(buf), "%s/%s", *s, fn);
+		    if (buflen < 0 || buflen >= (int)sizeof(buf))
+			continue;
 		    addlinknode(l, dupstring(buf));
 		    ct++;
 		}
-- 
2.14.3

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation