aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLeo Famulari <leo@famulari.name>2018-03-09 20:06:39 -0500
committerLeo Famulari <leo@famulari.name>2018-03-10 12:30:53 -0500
commitf55aa0c7b72c6e4f08f77aa84e196895182860e7 (patch)
treebc4d840d591d12975976d97880f35918614295b0
parent488ea71ed855ef6ee72a10751e4d57f598628393 (diff)
downloadguix-f55aa0c7b72c6e4f08f77aa84e196895182860e7.tar
guix-f55aa0c7b72c6e4f08f77aa84e196895182860e7.tar.gz
gnu: zsh: Fix CVE-2018-{7548,7549}.
* gnu/packages/patches/zsh-CVE-2018-7548.patch, gnu/packages/patches/zsh-CVE-2018-7549.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/shells.scm (zsh)[source]: Use them.
-rw-r--r--gnu/local.mk4
-rw-r--r--gnu/packages/patches/zsh-CVE-2018-7548.patch48
-rw-r--r--gnu/packages/patches/zsh-CVE-2018-7549.patch56
-rw-r--r--gnu/packages/shells.scm2
4 files changed, 109 insertions, 1 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index d90d8a318d..fbf7b2a7c7 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1181,7 +1181,9 @@ dist_patch_DATA = \
%D%/packages/patches/xinetd-CVE-2013-4342.patch \
%D%/packages/patches/xmodmap-asprintf.patch \
%D%/packages/patches/libyaml-CVE-2014-9130.patch \
- %D%/packages/patches/zathura-plugindir-environment-variable.patch
+ %D%/packages/patches/zathura-plugindir-environment-variable.patch \
+ %D%/packages/patches/zsh-CVE-2018-7548.patch \
+ %D%/packages/patches/zsh-CVE-2018-7549.patch
MISC_DISTRO_FILES = \
%D%/packages/ld-wrapper.in
diff --git a/gnu/packages/patches/zsh-CVE-2018-7548.patch b/gnu/packages/patches/zsh-CVE-2018-7548.patch
new file mode 100644
index 0000000000..1ee15fad73
--- /dev/null
+++ b/gnu/packages/patches/zsh-CVE-2018-7548.patch
@@ -0,0 +1,48 @@
+Fix CVE-2018-7548:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7548
+
+Patch copied from upstream source repository:
+
+https://sourceforge.net/p/zsh/code/ci/110b13e1090bc31ac1352b28adc2d02b6d25a102
+
+From 110b13e1090bc31ac1352b28adc2d02b6d25a102 Mon Sep 17 00:00:00 2001
+From: Joey Pabalinas <joeypabalinas@gmail.com>
+Date: Tue, 23 Jan 2018 22:28:08 -0800
+Subject: [PATCH] 42313: avoid null-pointer deref when using ${(PA)...} on an
+ empty array result
+
+---
+ ChangeLog | 5 +++++
+ Src/subst.c | 2 +-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+#diff --git a/ChangeLog b/ChangeLog
+#index d2ba94afc..3037edda4 100644
+#--- a/ChangeLog
+#+++ b/ChangeLog
+#@@ -1,3 +1,8 @@
+#+2018-01-23 Barton E. Schaefer <schaefer@zsh.org>
+#+
+#+ * Joey Pabalinas: 42313: Src/subst.c: avoid null-pointer deref
+#+ when using ${(PA)...} on an empty array result
+#+
+# 2018-01-23 Oliver Kiddle <okiddle@yahoo.co.uk>
+#
+# * 42317: Completion/Linux/Command/_cryptsetup,
+diff --git a/Src/subst.c b/Src/subst.c
+index d027e3d83..a265a187e 100644
+--- a/Src/subst.c
++++ b/Src/subst.c
+@@ -2430,7 +2430,7 @@ paramsubst(LinkList l, LinkNode n, char **str, int qt, int pf_flags,
+ val = aval[0];
+ isarr = 0;
+ }
+- s = dyncat(val, s);
++ s = val ? dyncat(val, s) : dupstring(s);
+ /* Now behave po-faced as if it was always like that... */
+ subexp = 0;
+ /*
+--
+2.16.2
+
diff --git a/gnu/packages/patches/zsh-CVE-2018-7549.patch b/gnu/packages/patches/zsh-CVE-2018-7549.patch
new file mode 100644
index 0000000000..abefcdf2f9
--- /dev/null
+++ b/gnu/packages/patches/zsh-CVE-2018-7549.patch
@@ -0,0 +1,56 @@
+Fix CVE-2018-7549:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7549
+
+Patch copied from upstream source repository:
+
+https://sourceforge.net/p/zsh/code/ci/c2cc8b0fbefc9868fa83537f5b6d90fc1ec438dd
+
+From c2cc8b0fbefc9868fa83537f5b6d90fc1ec438dd Mon Sep 17 00:00:00 2001
+From: Stephane Chazelas <stephane.chazelas@gmail.com>
+Date: Fri, 22 Dec 2017 22:17:09 +0000
+Subject: [PATCH] Avoid crash copying empty hash table.
+
+Visible with typeset -p.
+---
+ ChangeLog | 2 ++
+ Src/params.c | 11 +++++++----
+ 2 files changed, 9 insertions(+), 4 deletions(-)
+
+#diff --git a/ChangeLog b/ChangeLog
+#index f74c26b88..e3628cfa7 100644
+#--- a/ChangeLog
+#+++ b/ChangeLog
+#@@ -1,5 +1,7 @@
+# 2018-01-04 Peter Stephenson <p.stephenson@samsung.com>
+#
+#+ * Stephane: 42159: Src/params.c: avoid crash copying empty hash table.
+#+
+# * Sebastian: 42188: Src/Modules/system.c: It is necessary to
+# close the lock descriptor in some failure cases.
+#
+diff --git a/Src/params.c b/Src/params.c
+index 31ff0445b..de7730ae7 100644
+--- a/Src/params.c
++++ b/Src/params.c
+@@ -549,10 +549,13 @@ scancopyparams(HashNode hn, UNUSED(int flags))
+ HashTable
+ copyparamtable(HashTable ht, char *name)
+ {
+- HashTable nht = newparamtable(ht->hsize, name);
+- outtable = nht;
+- scanhashtable(ht, 0, 0, 0, scancopyparams, 0);
+- outtable = NULL;
++ HashTable nht = 0;
++ if (ht) {
++ nht = newparamtable(ht->hsize, name);
++ outtable = nht;
++ scanhashtable(ht, 0, 0, 0, scancopyparams, 0);
++ outtable = NULL;
++ }
+ return nht;
+ }
+
+--
+2.16.2
+
diff --git a/gnu/packages/shells.scm b/gnu/packages/shells.scm
index f4a38b8779..685f6d2df4 100644
--- a/gnu/packages/shells.scm
+++ b/gnu/packages/shells.scm
@@ -300,6 +300,8 @@ history mechanism, job control and a C-like syntax.")
(string-append
"http://www.zsh.org/pub/old/zsh-" version
".tar.gz")))
+ (patches (search-patches "zsh-CVE-2018-7548.patch"
+ "zsh-CVE-2018-7549.patch"))
(sha256
(base32
"1jdcfinzmki2w963msvsanv29vqqfmdfm4rncwpw0r3zqnrcsywm"))))