Resolves: CVE-2018-7548 - avoid NULL dereference when using ${(PA)...} on an empty array

This commit is contained in:
Kamil Dudka 2018-03-06 16:22:12 +01:00
parent d8fb0ec40b
commit 1ae62648a1
2 changed files with 35 additions and 1 deletions

View File

@ -0,0 +1,28 @@
From fc22af40437f4de42f7505ca93361391eab788e3 Mon Sep 17 00:00:00 2001
From: Joey Pabalinas <joeypabalinas@gmail.com>
Date: Tue, 23 Jan 2018 22:28:08 -0800
Subject: [PATCH 1/2] 42313: avoid null-pointer deref when using ${(PA)...} on
an empty array result
Upstream-commit: 110b13e1090bc31ac1352b28adc2d02b6d25a102
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
Src/subst.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Src/subst.c b/Src/subst.c
index 5b1bf89..94b0207 100644
--- a/Src/subst.c
+++ b/Src/subst.c
@@ -2340,7 +2340,7 @@ paramsubst(LinkList l, LinkNode n, char **str, int qt, int pf_flags,
val = aval[0];
isarr = 0;
}
- s = dyncat(val, s);
+ s = val ? dyncat(val, s) : dupstring(s);
/* Now behave po-faced as if it was always like that... */
subexp = 0;
/*
--
2.14.3

View File

@ -1,7 +1,7 @@
Summary: Powerful interactive shell
Name: zsh
Version: 5.4.2
Release: 6%{?dist}
Release: 7%{?dist}
License: MIT
URL: http://zsh.sourceforge.net/
# FIXME: use .xz once available
@ -16,6 +16,9 @@ Source6: dotzshrc
# make the call depth limit configurable by $FUNCNEST (#1441092)
Patch1: 0001-zsh-5.4.2-funcnest.patch
# avoid NULL dereference when using ${(PA)...} on an empty array (CVE-2018-7548)
Patch4: 0004-zsh-5.4.2-CVE-2018-7548.patch
BuildRequires: autoconf
BuildRequires: coreutils
BuildRequires: gawk
@ -171,6 +174,9 @@ fi
%doc Doc/*.html
%changelog
* Tue Mar 06 2018 Kamil Dudka <kdudka@redhat.com> - 5.4.2-7
- avoid NULL dereference when using ${(PA)...} on an empty array (CVE-2018-7548)
* Mon Feb 19 2018 Kamil Dudka <kdudka@redhat.com> - 5.4.2-6
- add explicit BR for the gcc compiler