From da634636bad734188a7a752b73c978c84c2baa18 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Oct 30 2018 05:01:55 +0000 Subject: import zsh-5.0.2-31.el7 --- diff --git a/SOURCES/zsh-5.0.2-CVE-2014-10071.patch b/SOURCES/zsh-5.0.2-CVE-2014-10071.patch new file mode 100644 index 0000000..47e4d1e --- /dev/null +++ b/SOURCES/zsh-5.0.2-CVE-2014-10071.patch @@ -0,0 +1,28 @@ +From 1b014b78fa0919a83b0a8082bc78b0fa3dccaf33 Mon Sep 17 00:00:00 2001 +From: Mikael Magnusson +Date: Mon, 6 Oct 2014 20:33:47 +0200 +Subject: [PATCH] 33365: avoid buffer overflow for very long fds in >& fd + syntax + +Upstream-commit: 49a3086bb67575435251c70ee598e2fd406ef055 +Signed-off-by: Kamil Dudka +--- + Src/exec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Src/exec.c b/Src/exec.c +index fb9715c..6d47935 100644 +--- a/Src/exec.c ++++ b/Src/exec.c +@@ -3134,7 +3134,7 @@ execcmd(Estate state, int input, int output, int how, int last1) + fil = dup(fd); + } + if (fil == -1) { +- char fdstr[4]; ++ char fdstr[DIGBUFSIZE]; + + closemnodes(mfds); + fixfds(save); +-- +2.14.3 + diff --git a/SOURCES/zsh-5.0.2-CVE-2014-10072.patch b/SOURCES/zsh-5.0.2-CVE-2014-10072.patch new file mode 100644 index 0000000..689e63d --- /dev/null +++ b/SOURCES/zsh-5.0.2-CVE-2014-10072.patch @@ -0,0 +1,90 @@ +From a787fc5c556cbbc7f3de308d25b7527f9da5a0da Mon Sep 17 00:00:00 2001 +From: "Barton E. Schaefer" +Date: Sun, 19 Jan 2014 17:41:06 -0800 +Subject: [PATCH] 32294: prevent buffer overflow when scanning very long + directory paths for symbolic links + +Upstream-commit: 3e06aeabd8a9e8384ebaa8b08996cd1f64737210 +Signed-off-by: Kamil Dudka +--- + Src/utils.c | 31 ++++++++++++++++++------------- + 1 file changed, 18 insertions(+), 13 deletions(-) + +diff --git a/Src/utils.c b/Src/utils.c +index 20fa59d..a197ef8 100644 +--- a/Src/utils.c ++++ b/Src/utils.c +@@ -726,32 +726,36 @@ xsymlinks(char *s) + char **pp, **opp; + char xbuf2[PATH_MAX*2], xbuf3[PATH_MAX*2]; + int t0, ret = 0; ++ zulong xbuflen = strlen(xbuf); + + opp = pp = slashsplit(s); +- for (; *pp; pp++) { +- if (!strcmp(*pp, ".")) { +- zsfree(*pp); ++ for (; xbuflen < sizeof(xbuf) && *pp; pp++) { ++ if (!strcmp(*pp, ".")) + continue; +- } + if (!strcmp(*pp, "..")) { + char *p; + +- zsfree(*pp); + if (!strcmp(xbuf, "/")) + continue; + if (!*xbuf) + continue; +- p = xbuf + strlen(xbuf); +- while (*--p != '/'); ++ p = xbuf + xbuflen; ++ while (*--p != '/') ++ xbuflen--; + *p = '\0'; + continue; + } + sprintf(xbuf2, "%s/%s", xbuf, *pp); + t0 = readlink(unmeta(xbuf2), xbuf3, PATH_MAX); + if (t0 == -1) { +- strcat(xbuf, "/"); +- strcat(xbuf, *pp); +- zsfree(*pp); ++ zulong pplen = strlen(*pp) + 1; ++ if ((xbuflen += pplen) < sizeof(xbuf)) { ++ strcat(xbuf, "/"); ++ strcat(xbuf, *pp); ++ } else { ++ *xbuf = 0; ++ break; ++ } + } else { + ret = 1; + metafy(xbuf3, t0, META_NOALLOC); +@@ -760,10 +764,9 @@ xsymlinks(char *s) + xsymlinks(xbuf3 + 1); + } else + xsymlinks(xbuf3); +- zsfree(*pp); + } + } +- free(opp); ++ freearray(opp); + return ret; + } + +@@ -780,8 +783,10 @@ xsymlink(char *s) + return NULL; + *xbuf = '\0'; + xsymlinks(s + 1); +- if (!*xbuf) ++ if (!*xbuf) { ++ zwarn("path expansion failed, using root directory"); + return ztrdup("/"); ++ } + return ztrdup(xbuf); + } + +-- +2.14.3 + diff --git a/SOURCES/zsh-5.0.2-CVE-2017-18205.patch b/SOURCES/zsh-5.0.2-CVE-2017-18205.patch new file mode 100644 index 0000000..b2c06b8 --- /dev/null +++ b/SOURCES/zsh-5.0.2-CVE-2017-18205.patch @@ -0,0 +1,63 @@ +From 08e287503fb4a8657962917891f2b7b90b713678 Mon Sep 17 00:00:00 2001 +From: Peter Stephenson +Date: Tue, 13 Jun 2017 15:41:00 +0100 +Subject: [PATCH] 41284: Fix NULL dereference in cd. + +This happened in sh compatiblity mode if HOME was not set +and cd was used with no argument. + +Upstream-commit: eb783754bdb74377f3cea4ceca9c23a02ea1bf58 +Signed-off-by: Kamil Dudka +--- + Src/builtin.c | 11 ++++++++++- + Test/B01cd.ztst | 4 ++++ + 2 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/Src/builtin.c b/Src/builtin.c +index ccfa745..caa4b64 100644 +--- a/Src/builtin.c ++++ b/Src/builtin.c +@@ -842,8 +842,13 @@ cd_get_dest(char *nam, char **argv, int hard, int func) + dir = nextnode(firstnode(dirstack)); + if (dir) + zinsertlinknode(dirstack, dir, getlinknode(dirstack)); +- else if (func != BIN_POPD) ++ else if (func != BIN_POPD) { ++ if (!home) { ++ zwarnnam(nam, "HOME not set"); ++ return NULL; ++ } + zpushnode(dirstack, ztrdup(home)); ++ } + } else if (!argv[1]) { + int dd; + char *end; +@@ -898,6 +903,10 @@ cd_get_dest(char *nam, char **argv, int hard, int func) + if (!dir) { + dir = firstnode(dirstack); + } ++ if (!dir || !getdata(dir)) { ++ DPUTS(1, "Directory not set, not detected early enough"); ++ return NULL; ++ } + if (!(dest = cd_do_chdir(nam, getdata(dir), hard))) { + if (!target) + zsfree(getlinknode(dirstack)); +diff --git a/Test/B01cd.ztst b/Test/B01cd.ztst +index c7920dd..e56fd26 100644 +--- a/Test/B01cd.ztst ++++ b/Test/B01cd.ztst +@@ -125,6 +125,10 @@ F:something is broken. But you already knew that. + 0: + ?(eval):cd:3: not a directory: link_to_nonexistent + ++ (unset HOME; ARGV0=sh $ZTST_testdir/../Src/zsh -c cd) ++1:Implicit cd with unset HOME. ++?zsh:cd:1: HOME not set ++ + %clean + # This optional section cleans up after the test, if necessary, + # e.g. killing processes etc. This is in addition to the removal of *.tmp +-- +2.14.3 + diff --git a/SOURCES/zsh-5.0.2-CVE-2017-18206.patch b/SOURCES/zsh-5.0.2-CVE-2017-18206.patch new file mode 100644 index 0000000..ef0df69 --- /dev/null +++ b/SOURCES/zsh-5.0.2-CVE-2017-18206.patch @@ -0,0 +1,104 @@ +From e51be32e198f42828b1082f9a40ff525ba892dcb Mon Sep 17 00:00:00 2001 +From: "Barton E. Schaefer" +Date: Sun, 17 Aug 2014 10:32:02 -0700 +Subject: [PATCH 1/2] Increase size of xbuf2 in xsymlinks to make gcc + FORTIFY_SOURCE=2 happy. + +Upstream-commit: 4ba08eef7e15f7fd0c96353d931b764e25fd251d +Signed-off-by: Kamil Dudka +--- + Src/utils.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Src/utils.c b/Src/utils.c +index a197ef8..13e744e 100644 +--- a/Src/utils.c ++++ b/Src/utils.c +@@ -724,7 +724,7 @@ static int + xsymlinks(char *s) + { + char **pp, **opp; +- char xbuf2[PATH_MAX*2], xbuf3[PATH_MAX*2]; ++ char xbuf2[PATH_MAX*3], xbuf3[PATH_MAX*2]; + int t0, ret = 0; + zulong xbuflen = strlen(xbuf); + +-- +2.14.3 + + +From 5059305b758f1fd228837da436b48a1dcadfd7a3 Mon Sep 17 00:00:00 2001 +From: Peter Stephenson +Date: Tue, 9 May 2017 17:49:18 +0100 +Subject: [PATCH 2/2] 40181: Fix buffer overrun in xsymlinks. + +There was no check for copying to the internal xbuf2 for a +preliminary test. + +Upstream-commit: c7a9cf465dd620ef48d586026944d9bd7a0d5d6d + +The upstream test-case has not been backported because this version +of zsh does not support the :P modifier. + +Signed-off-by: Kamil Dudka + +Also picked a fix for buffer size off-by-one from upstream commit +a62e1640bcafbb82d86ea8d8ce057a83c4683d60 to fix the following defect +newly detected by Coverity Analysis: + +Error: OVERRUN (CWE-119): +zsh-5.0.2/Src/utils.c:732: cond_at_most: Checking "xbuflen < 8192UL" implies that "xbuflen" may be up to 8191 on the true branch. +zsh-5.0.2/Src/utils.c:757: overrun-local: Overrunning array of 8192 bytes at byte offset 8192 by dereferencing pointer "xbuf2 + xbuflen + 1". [Note: The source code implementation of the function has been overridden by a builtin model.] +--- + Src/utils.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +diff --git a/Src/utils.c b/Src/utils.c +index a197ef8..391d020 100644 +--- a/Src/utils.c ++++ b/Src/utils.c +@@ -684,7 +684,7 @@ ispwd(char *s) + return 0; + } + +-static char xbuf[PATH_MAX*2]; ++static char xbuf[PATH_MAX*2+1]; + + /**/ + static char ** +@@ -724,9 +724,9 @@ static int + xsymlinks(char *s) + { + char **pp, **opp; +- char xbuf2[PATH_MAX*3], xbuf3[PATH_MAX*2]; ++ char xbuf2[PATH_MAX*3+1], xbuf3[PATH_MAX*2+1]; + int t0, ret = 0; +- zulong xbuflen = strlen(xbuf); ++ zulong xbuflen = strlen(xbuf), pplen; + + opp = pp = slashsplit(s); + for (; xbuflen < sizeof(xbuf) && *pp; pp++) { +@@ -745,10 +745,18 @@ xsymlinks(char *s) + *p = '\0'; + continue; + } +- sprintf(xbuf2, "%s/%s", xbuf, *pp); ++ /* Includes null byte. */ ++ pplen = strlen(*pp) + 1; ++ if (xbuflen + pplen + 1 > sizeof(xbuf2)) { ++ *xbuf = 0; ++ ret = -1; ++ break; ++ } ++ memcpy(xbuf2, xbuf, xbuflen); ++ xbuf2[xbuflen] = '/'; ++ memcpy(xbuf2 + xbuflen + 1, *pp, pplen); + t0 = readlink(unmeta(xbuf2), xbuf3, PATH_MAX); + if (t0 == -1) { +- zulong pplen = strlen(*pp) + 1; + if ((xbuflen += pplen) < sizeof(xbuf)) { + strcat(xbuf, "/"); + strcat(xbuf, *pp); +-- +2.14.3 + diff --git a/SOURCES/zsh-5.0.2-CVE-2018-1071.patch b/SOURCES/zsh-5.0.2-CVE-2018-1071.patch new file mode 100644 index 0000000..7605bbd --- /dev/null +++ b/SOURCES/zsh-5.0.2-CVE-2018-1071.patch @@ -0,0 +1,47 @@ +From c3fec0b136d938704d8b0ba82424eea8d17f86ab Mon Sep 17 00:00:00 2001 +From: Oliver Kiddle +Date: Sat, 24 Mar 2018 15:02:41 +0100 +Subject: [PATCH] 42518, CVE-2018-1071: check bounds when copying path in + hashcmd() + +Upstream-commit: 679b71ec4d852037fe5f73d35bf557b0f406c8d4 +Signed-off-by: Kamil Dudka +--- + Src/exec.c | 2 +- + Src/utils.c | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/Src/exec.c b/Src/exec.c +index 6d47935..b9ffb35 100644 +--- a/Src/exec.c ++++ b/Src/exec.c +@@ -860,7 +860,7 @@ hashcmd(char *arg0, char **pp) + for (; *pp; pp++) + if (**pp == '/') { + s = buf; +- strucpy(&s, *pp); ++ struncpy(&s, *pp, PATH_MAX); + *s++ = '/'; + if ((s - buf) + strlen(arg0) >= PATH_MAX) + continue; +diff --git a/Src/utils.c b/Src/utils.c +index 391d020..c6eba63 100644 +--- a/Src/utils.c ++++ b/Src/utils.c +@@ -2005,10 +2005,10 @@ struncpy(char **s, char *t, int n) + { + char *u = *s; + +- while (n--) +- *u++ = *t++; ++ while (n-- && (*u++ = *t++)); + *s = u; +- *u = '\0'; ++ if (n > 0) /* just one null-byte will do, unlike strncpy(3) */ ++ *u = '\0'; + } + + /* Return the number of elements in an array of pointers. * +-- +2.14.3 + diff --git a/SOURCES/zsh-5.0.2-CVE-2018-1083.patch b/SOURCES/zsh-5.0.2-CVE-2018-1083.patch new file mode 100644 index 0000000..722079a --- /dev/null +++ b/SOURCES/zsh-5.0.2-CVE-2018-1083.patch @@ -0,0 +1,63 @@ +From 20cf100cddc27a1e7202413261c93b78142899e8 Mon Sep 17 00:00:00 2001 +From: Oliver Kiddle +Date: Sat, 24 Mar 2018 15:04:39 +0100 +Subject: [PATCH] 42519, CVE-2018-1083: check bounds on PATH_MAX-sized buffer + used for file completion candidates + +Upstream-commit: 259ac472eac291c8c103c7a0d8a4eaf3c2942ed7 +Signed-off-by: Kamil Dudka + +Also picked a fix for buffer size off-by-one from upstream commit +a62e1640bcafbb82d86ea8d8ce057a83c4683d60 to fix the following defect +newly detected by Coverity Analysis: + +Error: OVERRUN (CWE-119): +zsh-5.0.2/Src/Zle/compctl.c:2160: cond_at_most: Checking "pathpreflen > 4096" implies that "pathpreflen" may be up to 4096 on the false branch. +zsh-5.0.2/Src/Zle/compctl.c:2172: overrun-buffer-arg: Overrunning array "p" of 4096 bytes by passing it to a function which accesses it at byte offset 4096 using argument "pathpreflen + 1" (which evaluates to 4097). [Note: The source code implementation of the function has been overridden by a builtin model.] +--- + Src/Zle/compctl.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/Src/Zle/compctl.c b/Src/Zle/compctl.c +index 5d67137..5e636ef 100644 +--- a/Src/Zle/compctl.c ++++ b/Src/Zle/compctl.c +@@ -2136,7 +2136,7 @@ gen_matches_files(int dirs, int execs, int all) + { + DIR *d; + struct stat buf; +- char *n, p[PATH_MAX], *q = NULL, *e, *pathpref; ++ char *n, p[PATH_MAX+1], *q = NULL, *e, *pathpref; + LinkList l = NULL; + int ns = 0, ng = opts[NULLGLOB], test, aw = addwhat, pathpreflen; + +@@ -2157,6 +2157,8 @@ gen_matches_files(int dirs, int execs, int all) + if (prpre && *prpre) { + pathpref = dupstring(prpre); + unmetafy(pathpref, &pathpreflen); ++ if (pathpreflen > PATH_MAX) ++ return; + /* system needs NULL termination, not provided by unmetafy */ + pathpref[pathpreflen] = '\0'; + } else { +@@ -2199,6 +2201,8 @@ gen_matches_files(int dirs, int execs, int all) + * the path buffer by appending the filename. */ + ums = dupstring(n); + unmetafy(ums, ¨en); ++ if (umlen + pathpreflen + 1 > PATH_MAX) ++ continue; + memcpy(q, ums, umlen); + q[umlen] = '\0'; + /* And do the stat. */ +@@ -2213,6 +2217,8 @@ gen_matches_files(int dirs, int execs, int all) + /* We have to test for a path suffix. */ + int o = strlen(p), tt; + ++ if (o + strlen(psuf) > PATH_MAX) ++ continue; + /* Append it to the path buffer. */ + strcpy(p + o, psuf); + +-- +2.14.3 + diff --git a/SOURCES/zsh-5.0.2-CVE-2018-1100.patch b/SOURCES/zsh-5.0.2-CVE-2018-1100.patch new file mode 100644 index 0000000..3ff1e51 --- /dev/null +++ b/SOURCES/zsh-5.0.2-CVE-2018-1100.patch @@ -0,0 +1,41 @@ +From 7f28151c0b6bca5cb60f56e9a17ccb2fd9665269 Mon Sep 17 00:00:00 2001 +From: Oliver Kiddle +Date: Sat, 7 Apr 2018 18:28:38 +0200 +Subject: [PATCH] 42607, CVE-2018-1100: check bounds on buffer in mail checking + +Upstream-commit: 31f72205630687c1cef89347863aab355296a27f +Signed-off-by: Kamil Dudka +--- + Src/utils.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/Src/utils.c b/Src/utils.c +index c6eba63..41ec45c 100644 +--- a/Src/utils.c ++++ b/Src/utils.c +@@ -1414,7 +1414,7 @@ checkmailpath(char **s) + LinkList l; + DIR *lock = opendir(unmeta(*s)); + char buf[PATH_MAX * 2], **arr, **ap; +- int ct = 1; ++ int buflen, ct = 1; + + if (lock) { + char *fn; +@@ -1423,9 +1423,11 @@ checkmailpath(char **s) + l = newlinklist(); + while ((fn = zreaddir(lock, 1)) && !errflag) { + if (u) +- sprintf(buf, "%s/%s?%s", *s, fn, u); ++ buflen = snprintf(buf, sizeof(buf), "%s/%s?%s", *s, fn, u); + else +- sprintf(buf, "%s/%s", *s, fn); ++ buflen = snprintf(buf, sizeof(buf), "%s/%s", *s, fn); ++ if (buflen < 0 || buflen >= (int)sizeof(buf)) ++ continue; + addlinknode(l, dupstring(buf)); + ct++; + } +-- +2.14.3 + diff --git a/SOURCES/zsh-5.0.2-CVE-2018-7549.patch b/SOURCES/zsh-5.0.2-CVE-2018-7549.patch new file mode 100644 index 0000000..dff731b --- /dev/null +++ b/SOURCES/zsh-5.0.2-CVE-2018-7549.patch @@ -0,0 +1,38 @@ +From 8aa649ab39c6113072f93d8065d846477ab297f1 Mon Sep 17 00:00:00 2001 +From: Stephane Chazelas +Date: Fri, 22 Dec 2017 22:17:09 +0000 +Subject: [PATCH] Avoid crash copying empty hash table. + +Visible with typeset -p. + +Upstream-commit: c2cc8b0fbefc9868fa83537f5b6d90fc1ec438dd +Signed-off-by: Kamil Dudka +--- + Src/params.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/Src/params.c b/Src/params.c +index be8394b..25f34e8 100644 +--- a/Src/params.c ++++ b/Src/params.c +@@ -492,10 +492,13 @@ scancopyparams(HashNode hn, UNUSED(int flags)) + HashTable + copyparamtable(HashTable ht, char *name) + { +- HashTable nht = newparamtable(ht->hsize, name); +- outtable = nht; +- scanhashtable(ht, 0, 0, 0, scancopyparams, 0); +- outtable = NULL; ++ HashTable nht = 0; ++ if (ht) { ++ nht = newparamtable(ht->hsize, name); ++ outtable = nht; ++ scanhashtable(ht, 0, 0, 0, scancopyparams, 0); ++ outtable = NULL; ++ } + return nht; + } + +-- +2.14.3 + diff --git a/SOURCES/zsh-5.0.2-freeheap-crash.patch b/SOURCES/zsh-5.0.2-freeheap-crash.patch new file mode 100644 index 0000000..f386e1c --- /dev/null +++ b/SOURCES/zsh-5.0.2-freeheap-crash.patch @@ -0,0 +1,104 @@ +From 62536afb90ebb3d7421485c018abd90ba72b919c Mon Sep 17 00:00:00 2001 +From: "Barton E. Schaefer" +Date: Sat, 18 Jan 2014 21:22:11 -0800 +Subject: [PATCH 1/2] 32285: restart the fheap search in freeheap if the + current fheap arena is about to be discarded; fixes crash + +Upstream-commit: 23f98c3e1d4792e32c616e1f73c383988bd86a9c +Signed-off-by: Kamil Dudka +--- + Src/mem.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/Src/mem.c b/Src/mem.c +index aeca3d9..eb5a091 100644 +--- a/Src/mem.c ++++ b/Src/mem.c +@@ -367,6 +367,15 @@ freeheap(void) + } + #endif + } else { ++ if (h == fheap && h != heaps) { ++ /* ++ * When deallocating the last arena with free space, ++ * loop back through the list to find another one. ++ */ ++ fheap = NULL; ++ hn = heaps; ++ continue; ++ } + #ifdef USE_MMAP + munmap((void *) h, h->size); + #else +-- +2.13.5 + + +From d968fe1061acabd72465a276c2de060f0f8bb668 Mon Sep 17 00:00:00 2001 +From: "Barton E. Schaefer" +Date: Wed, 22 Jan 2014 21:47:29 -0800 +Subject: [PATCH 2/2] unposted: reformulate 32285 to lift the fheap->sp test + out of the loop, improve commentary + +Upstream-commit: 6c603a412751c810ba04bcd463cd3595091ca391 +Signed-off-by: Kamil Dudka +--- + Src/mem.c | 24 +++++++++--------------- + 1 file changed, 9 insertions(+), 15 deletions(-) + +diff --git a/Src/mem.c b/Src/mem.c +index eb5a091..3a7e31d 100644 +--- a/Src/mem.c ++++ b/Src/mem.c +@@ -319,23 +319,26 @@ freeheap(void) + h_free++; + #endif + +- /* At this point we used to do: +- fheap = NULL; +- * ++ /* + * When pushheap() is called, it sweeps over the entire heaps list of + * arenas and marks every one of them with the amount of free space in + * that arena at that moment. zhalloc() is then allowed to grab bits + * out of any of those arenas that have free space. + * +- * With the above reset of fheap, the loop below sweeps back over the ++ * Whenever fheap is NULL here, the loop below sweeps back over the + * entire heap list again, resetting the free space in every arena to + * the amount stashed by pushheap() and finding the first arena with + * free space to optimize zhalloc()'s next search. When there's a lot + * of stuff already on the heap, this is an enormous amount of work, + * and performance goes to hell. + * +- * However, there doesn't seem to be any reason to reset fheap before +- * beginning this loop. Either it's already correct, or it has never ++ * However, if the arena to which fheap points is unused, we want to ++ * free it, so we have no choice but to do the sweep for a new fheap. ++ */ ++ if (fheap && !fheap->sp) ++ fheap = NULL; /* We used to do this unconditionally */ ++ /* ++ * In other cases, either fheap is already correct, or it has never + * been set and this loop will do it, or it'll be reset from scratch + * on the next popheap(). So all that's needed here is to pick up + * the scan wherever the last pass [or the last popheap()] left off. +@@ -367,15 +370,6 @@ freeheap(void) + } + #endif + } else { +- if (h == fheap && h != heaps) { +- /* +- * When deallocating the last arena with free space, +- * loop back through the list to find another one. +- */ +- fheap = NULL; +- hn = heaps; +- continue; +- } + #ifdef USE_MMAP + munmap((void *) h, h->size); + #else +-- +2.13.5 + diff --git a/SPECS/zsh.spec b/SPECS/zsh.spec index 0058423..bd664b7 100644 --- a/SPECS/zsh.spec +++ b/SPECS/zsh.spec @@ -3,7 +3,7 @@ Summary: Powerful interactive shell Name: zsh Version: 5.0.2 -Release: 28%{?dist} +Release: 31%{?dist} License: MIT URL: http://zsh.sourceforge.net/ Group: System Environment/Shells @@ -76,6 +76,33 @@ Patch22: zsh-5.0.2-noexec-subscript.patch # zero new space allocated in prompt buffer (#1408619) Patch23: zsh-5.0.2-initialize-prompt-buffer.patch +# fix crash while inputting long multi-line strings (#1492595) +Patch24: zsh-5.0.2-freeheap-crash.patch + +# fix buffer overflow for very long fds in >& fd syntax (CVE-2014-10071) +Patch33: zsh-5.0.2-CVE-2014-10071.patch + +# fix buffer overflow when scanning very long path for symlinks (CVE-2014-10072) +Patch34: zsh-5.0.2-CVE-2014-10072.patch + +# fix NULL dereference in cd (CVE-2017-18205) +Patch35: zsh-5.0.2-CVE-2017-18205.patch + +# fix buffer overrun in xsymlinks (CVE-2017-18206) +Patch36: zsh-5.0.2-CVE-2017-18206.patch + +# avoid crash when copying empty hash table (CVE-2018-7549) +Patch37: zsh-5.0.2-CVE-2018-7549.patch + +# fix stack-based buffer overflow in exec.c:hashcmd() (CVE-2018-1071) +Patch38: zsh-5.0.2-CVE-2018-1071.patch + +# fix stack-based buffer overflow in gen_matches_files() (CVE-2018-1083) +Patch39: zsh-5.0.2-CVE-2018-1083.patch + +# fix stack-based buffer overflow in utils.c:checkmailpath() (CVE-2018-1100) +Patch40: zsh-5.0.2-CVE-2018-1100.patch + BuildRequires: coreutils sed ncurses-devel libcap-devel BuildRequires: texinfo texi2html gawk hostname Requires(post): /sbin/install-info grep @@ -129,6 +156,15 @@ This package contains the Zsh manual in html format. %patch21 -p1 %patch22 -p1 %patch23 -p1 +%patch24 -p1 +%patch33 -p1 +%patch34 -p1 +%patch35 -p1 +%patch36 -p1 +%patch37 -p1 +%patch38 -p1 +%patch39 -p1 +%patch40 -p1 cp -p %SOURCE7 . @@ -245,6 +281,22 @@ fi %doc Doc/*.html %changelog +* Fri May 04 2018 Kamil Dudka - 5.0.2-31 +- fix defects detected by Coverity related to CVE-2017-18206 and CVE-2018-1083 + +* Thu May 03 2018 Kamil Dudka - 5.0.2-30 +- fix stack-based buffer overflow in utils.c:checkmailpath() (CVE-2018-1100) +- fix stack-based buffer overflow in gen_matches_files() (CVE-2018-1083) +- fix stack-based buffer overflow in exec.c:hashcmd() (CVE-2018-1071) +- avoid crash when copying empty hash table (CVE-2018-7549) +- fix buffer overrun in xsymlinks (CVE-2017-18206) +- fix NULL dereference in cd (CVE-2017-18205) +- fix buffer overflow when scanning very long path for symlinks (CVE-2014-10072) +- fix buffer overflow for very long fds in >& fd syntax (CVE-2014-10071) + +* Tue Sep 19 2017 Kamil Dudka - 5.0.2-29 +- fix crash while inputting long multi-line strings (#1492595) + * Thu Feb 16 2017 Kamil Dudka - 5.0.2-28 - zero new space allocated in prompt buffer (#1408619)