From 1ae62648a186d943f6c5791a7957f7f5c7d42ff8 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Tue, 6 Mar 2018 16:22:12 +0100 Subject: [PATCH] Resolves: CVE-2018-7548 - avoid NULL dereference when using ${(PA)...} on an empty array --- 0004-zsh-5.4.2-CVE-2018-7548.patch | 28 ++++++++++++++++++++++++++++ zsh.spec | 8 +++++++- 2 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 0004-zsh-5.4.2-CVE-2018-7548.patch diff --git a/0004-zsh-5.4.2-CVE-2018-7548.patch b/0004-zsh-5.4.2-CVE-2018-7548.patch new file mode 100644 index 0000000..944b888 --- /dev/null +++ b/0004-zsh-5.4.2-CVE-2018-7548.patch @@ -0,0 +1,28 @@ +From fc22af40437f4de42f7505ca93361391eab788e3 Mon Sep 17 00:00:00 2001 +From: Joey Pabalinas +Date: Tue, 23 Jan 2018 22:28:08 -0800 +Subject: [PATCH 1/2] 42313: avoid null-pointer deref when using ${(PA)...} on + an empty array result + +Upstream-commit: 110b13e1090bc31ac1352b28adc2d02b6d25a102 +Signed-off-by: Kamil Dudka +--- + Src/subst.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Src/subst.c b/Src/subst.c +index 5b1bf89..94b0207 100644 +--- a/Src/subst.c ++++ b/Src/subst.c +@@ -2340,7 +2340,7 @@ paramsubst(LinkList l, LinkNode n, char **str, int qt, int pf_flags, + val = aval[0]; + isarr = 0; + } +- s = dyncat(val, s); ++ s = val ? dyncat(val, s) : dupstring(s); + /* Now behave po-faced as if it was always like that... */ + subexp = 0; + /* +-- +2.14.3 + diff --git a/zsh.spec b/zsh.spec index e1987fa..db8f5c0 100644 --- a/zsh.spec +++ b/zsh.spec @@ -1,7 +1,7 @@ Summary: Powerful interactive shell Name: zsh Version: 5.4.2 -Release: 6%{?dist} +Release: 7%{?dist} License: MIT URL: http://zsh.sourceforge.net/ # FIXME: use .xz once available @@ -16,6 +16,9 @@ Source6: dotzshrc # make the call depth limit configurable by $FUNCNEST (#1441092) Patch1: 0001-zsh-5.4.2-funcnest.patch +# avoid NULL dereference when using ${(PA)...} on an empty array (CVE-2018-7548) +Patch4: 0004-zsh-5.4.2-CVE-2018-7548.patch + BuildRequires: autoconf BuildRequires: coreutils BuildRequires: gawk @@ -171,6 +174,9 @@ fi %doc Doc/*.html %changelog +* Tue Mar 06 2018 Kamil Dudka - 5.4.2-7 +- avoid NULL dereference when using ${(PA)...} on an empty array (CVE-2018-7548) + * Mon Feb 19 2018 Kamil Dudka - 5.4.2-6 - add explicit BR for the gcc compiler