From f55aa0c7b72c6e4f08f77aa84e196895182860e7 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Fri, 9 Mar 2018 20:06:39 -0500 Subject: [PATCH] gnu: zsh: Fix CVE-2018-{7548,7549}. * gnu/packages/patches/zsh-CVE-2018-7548.patch, gnu/packages/patches/zsh-CVE-2018-7549.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/shells.scm (zsh)[source]: Use them. --- gnu/local.mk | 4 +- gnu/packages/patches/zsh-CVE-2018-7548.patch | 48 +++++++++++++++++ gnu/packages/patches/zsh-CVE-2018-7549.patch | 56 ++++++++++++++++++++ gnu/packages/shells.scm | 2 + 4 files changed, 109 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/zsh-CVE-2018-7548.patch create mode 100644 gnu/packages/patches/zsh-CVE-2018-7549.patch diff --git a/gnu/local.mk b/gnu/local.mk index d90d8a318d..fbf7b2a7c7 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1181,7 +1181,9 @@ dist_patch_DATA = \ %D%/packages/patches/xinetd-CVE-2013-4342.patch \ %D%/packages/patches/xmodmap-asprintf.patch \ %D%/packages/patches/libyaml-CVE-2014-9130.patch \ - %D%/packages/patches/zathura-plugindir-environment-variable.patch + %D%/packages/patches/zathura-plugindir-environment-variable.patch \ + %D%/packages/patches/zsh-CVE-2018-7548.patch \ + %D%/packages/patches/zsh-CVE-2018-7549.patch MISC_DISTRO_FILES = \ %D%/packages/ld-wrapper.in diff --git a/gnu/packages/patches/zsh-CVE-2018-7548.patch b/gnu/packages/patches/zsh-CVE-2018-7548.patch new file mode 100644 index 0000000000..1ee15fad73 --- /dev/null +++ b/gnu/packages/patches/zsh-CVE-2018-7548.patch @@ -0,0 +1,48 @@ +Fix CVE-2018-7548: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7548 + +Patch copied from upstream source repository: + +https://sourceforge.net/p/zsh/code/ci/110b13e1090bc31ac1352b28adc2d02b6d25a102 + +From 110b13e1090bc31ac1352b28adc2d02b6d25a102 Mon Sep 17 00:00:00 2001 +From: Joey Pabalinas +Date: Tue, 23 Jan 2018 22:28:08 -0800 +Subject: [PATCH] 42313: avoid null-pointer deref when using ${(PA)...} on an + empty array result + +--- + ChangeLog | 5 +++++ + Src/subst.c | 2 +- + 2 files changed, 6 insertions(+), 1 deletion(-) + +#diff --git a/ChangeLog b/ChangeLog +#index d2ba94afc..3037edda4 100644 +#--- a/ChangeLog +#+++ b/ChangeLog +#@@ -1,3 +1,8 @@ +#+2018-01-23 Barton E. Schaefer +#+ +#+ * Joey Pabalinas: 42313: Src/subst.c: avoid null-pointer deref +#+ when using ${(PA)...} on an empty array result +#+ +# 2018-01-23 Oliver Kiddle +# +# * 42317: Completion/Linux/Command/_cryptsetup, +diff --git a/Src/subst.c b/Src/subst.c +index d027e3d83..a265a187e 100644 +--- a/Src/subst.c ++++ b/Src/subst.c +@@ -2430,7 +2430,7 @@ paramsubst(LinkList l, LinkNode n, char **str, int qt, int pf_flags, + val = aval[0]; + isarr = 0; + } +- s = dyncat(val, s); ++ s = val ? dyncat(val, s) : dupstring(s); + /* Now behave po-faced as if it was always like that... */ + subexp = 0; + /* +-- +2.16.2 + diff --git a/gnu/packages/patches/zsh-CVE-2018-7549.patch b/gnu/packages/patches/zsh-CVE-2018-7549.patch new file mode 100644 index 0000000000..abefcdf2f9 --- /dev/null +++ b/gnu/packages/patches/zsh-CVE-2018-7549.patch @@ -0,0 +1,56 @@ +Fix CVE-2018-7549: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7549 + +Patch copied from upstream source repository: + +https://sourceforge.net/p/zsh/code/ci/c2cc8b0fbefc9868fa83537f5b6d90fc1ec438dd + +From c2cc8b0fbefc9868fa83537f5b6d90fc1ec438dd Mon Sep 17 00:00:00 2001 +From: Stephane Chazelas +Date: Fri, 22 Dec 2017 22:17:09 +0000 +Subject: [PATCH] Avoid crash copying empty hash table. + +Visible with typeset -p. +--- + ChangeLog | 2 ++ + Src/params.c | 11 +++++++---- + 2 files changed, 9 insertions(+), 4 deletions(-) + +#diff --git a/ChangeLog b/ChangeLog +#index f74c26b88..e3628cfa7 100644 +#--- a/ChangeLog +#+++ b/ChangeLog +#@@ -1,5 +1,7 @@ +# 2018-01-04 Peter Stephenson +# +#+ * Stephane: 42159: Src/params.c: avoid crash copying empty hash table. +#+ +# * Sebastian: 42188: Src/Modules/system.c: It is necessary to +# close the lock descriptor in some failure cases. +# +diff --git a/Src/params.c b/Src/params.c +index 31ff0445b..de7730ae7 100644 +--- a/Src/params.c ++++ b/Src/params.c +@@ -549,10 +549,13 @@ scancopyparams(HashNode hn, UNUSED(int flags)) + HashTable + copyparamtable(HashTable ht, char *name) + { +- HashTable nht = newparamtable(ht->hsize, name); +- outtable = nht; +- scanhashtable(ht, 0, 0, 0, scancopyparams, 0); +- outtable = NULL; ++ HashTable nht = 0; ++ if (ht) { ++ nht = newparamtable(ht->hsize, name); ++ outtable = nht; ++ scanhashtable(ht, 0, 0, 0, scancopyparams, 0); ++ outtable = NULL; ++ } + return nht; + } + +-- +2.16.2 + diff --git a/gnu/packages/shells.scm b/gnu/packages/shells.scm index f4a38b8779..685f6d2df4 100644 --- a/gnu/packages/shells.scm +++ b/gnu/packages/shells.scm @@ -300,6 +300,8 @@ (define-public zsh (string-append "http://www.zsh.org/pub/old/zsh-" version ".tar.gz"))) + (patches (search-patches "zsh-CVE-2018-7548.patch" + "zsh-CVE-2018-7549.patch")) (sha256 (base32 "1jdcfinzmki2w963msvsanv29vqqfmdfm4rncwpw0r3zqnrcsywm"))))