MidnightBSD

Advisories for zsh

CVE-2014-10071 HIGH

In exec.c in zsh before 5.0.7, there is a buffer overflow for very long fds in the ">& fd" syntax.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
canonical ubuntu_linux 17.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 14.04
zsh zsh *
CVE-2016-10714 HIGH

In zsh before 5.3, an off-by-one error resulted in undersized buffers that were intended to support PATH_MAX characters.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-189,

Products Affected

Vendor Product Version
canonical ubuntu_linux 17.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 14.04
zsh zsh *
CVE-2017-18206 HIGH

In utils.c in zsh before 5.4, symlink expansion had a buffer overflow.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
canonical ubuntu_linux 17.10
canonical ubuntu_linux 16.04
canonical ubuntu_linux 14.04
zsh zsh *
CVE-2018-0502 HIGH

An issue was discovered in zsh before 5.6. The beginning of a #! script file was mishandled, potentially leading to an execve call to a program named on the second line.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
canonical ubuntu_linux 18.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 14.04
zsh zsh *
CVE-2018-1071 LOW

zsh through version 5.4.2 is vulnerable to a stack-based buffer overflow in the exec.c:hashcmd() function. A local attacker could exploit this to cause a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-121,CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
canonical ubuntu_linux 17.10
redhat enterprise_linux_desktop 7.0
debian debian_linux 7.0
redhat enterprise_linux_workstation 7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 14.04
zsh zsh *
CVE-2018-1083 HIGH

Zsh before version 5.4.2-test-1 is vulnerable to a buffer overflow in the shell autocomplete functionality. A local unprivileged user can create a specially crafted directory path which leads to code execution in the context of the user who tries to use autocomplete to traverse the before mentioned path. If the user affected is privileged, this leads to privilege escalation.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-120,CWE-119,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
canonical ubuntu_linux 17.10
redhat enterprise_linux_desktop 7.0
debian debian_linux 7.0
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_desktop 6.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 14.04
redhat enterprise_linux_server 6.0
zsh zsh *
CVE-2018-1100 HIGH

zsh through version 5.4.2 is vulnerable to a stack-based buffer overflow in the utils.c:checkmailpath function. A local attacker could exploit this to execute arbitrary code in the context of another user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-120,CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_desktop 6.0
canonical ubuntu_linux 18.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 14.04
redhat enterprise_linux_server 6.0
zsh zsh *
CVE-2018-13259 HIGH

An issue was discovered in zsh before 5.6. Shebang lines exceeding 64 characters were truncated, potentially leading to an execve call to a program name that is a substring of the intended one.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
canonical ubuntu_linux 18.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 14.04
zsh zsh *
CVE-2018-7548 HIGH

In subst.c in zsh through 5.4.2, there is a NULL pointer dereference when using ${(PA)...} on an empty array result.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-476,

Products Affected

Vendor Product Version
canonical ubuntu_linux 17.10
zsh zsh *
CVE-2018-7549 MEDIUM

In params.c in zsh through 5.4.2, there is a crash during a copy of an empty hash table, as demonstrated by typeset -p.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
canonical ubuntu_linux 17.10
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_workstation 7.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 14.04
zsh zsh *
CVE-2019-20044 HIGH

In Zsh before 5.8, attackers able to execute commands can regain privileges dropped by the --no-PRIVILEGED option. Zsh fails to overwrite the saved uid, so the original privileges can be restored by executing MODULE_PATH=/dir/with/module zmodload with a module that calls setuid().

CVSS 2.0

Severity: HIGH

Problem Type: CWE-273,

Products Affected

Vendor Product Version
apple mac_os_x 10.14.6
debian debian_linux 8.0
fedoraproject fedora 31
apple ipados *
debian debian_linux 9.0
zsh zsh *
apple mac_os_x 10.13.6
apple mac_os_x *
fedoraproject fedora 30
apple tvos *
apple iphone_os *
apple watchos *
CVE-2021-45444 MEDIUM

In zsh before 5.8.1, an attacker can achieve code execution if they control a command output inside the prompt, as demonstrated by a %F argument. This occurs because of recursive PROMPT_SUBST expansion.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
apple macos *
fedoraproject fedora 35
debian debian_linux 11.0
apple mac_os_x *
fedoraproject fedora 34
apple mac_os_x 10.15.7
debian debian_linux 9.0
debian debian_linux 10.0
zsh zsh *