SUSE-SU-2018:1874-1: moderate: Security update for zsh

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Tue Jul 3 16:10:33 MDT 2018 

   SUSE Security Update: Security update for zsh
______________________________________________________________________________

Announcement ID:    SUSE-SU-2018:1874-1
Rating:             moderate
References:         #1084656 #1087026 #1089030 
Cross-References:   CVE-2018-1071 CVE-2018-1083 CVE-2018-1100
                   
Affected Products:
                    SUSE Linux Enterprise Module for Basesystem 15
______________________________________________________________________________

   An update that fixes three vulnerabilities is now available.

Description:

   This update for zsh to version 5.5 fixes the following issues:

   Security issues fixed:

   - CVE-2018-1100: Fixes a buffer overflow in utils.c:checkmailpath() that
     can lead to local arbitrary code execution (bsc#1089030)
   - CVE-2018-1071: Fixed a stack-based buffer overflow in exec.c:hashcmd()
     (bsc#1084656)
   - CVE-2018-1083: Fixed a stack-based buffer overflow in
     gen_matches_files() at compctl.c (bsc#1087026)

   Non-security issues fixed:

   - The effect of the NO_INTERACTIVE_COMMENTS option extends into $(...) and
     `...` command substitutions when used on the command line.
   - The 'exec' and 'command' precommand modifiers, and options to them, are
     now parsed after parameter expansion.
   - Functions executed by ZLE widgets no longer have their standard input
     closed, but redirected from /dev/null instead.
   - There is an option WARN_NESTED_VAR, a companion to the existing
     WARN_CREATE_GLOBAL that causes a warning if a function updates a
     variable from an enclosing scope without using typeset -g.
   - zmodload now has an option -s to be silent on a failure to find a module
     but still print other errors.


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for Basesystem 15:

      zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-1268=1



Package List:

   - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64):

      zsh-5.5-3.3.15
      zsh-debuginfo-5.5-3.3.15
      zsh-debugsource-5.5-3.3.15


References:

   https://www.suse.com/security/cve/CVE-2018-1071.html
   https://www.suse.com/security/cve/CVE-2018-1083.html
   https://www.suse.com/security/cve/CVE-2018-1100.html
   https://bugzilla.suse.com/1084656
   https://bugzilla.suse.com/1087026
   https://bugzilla.suse.com/1089030

More information about the sle-security-updates mailing list