Joined: 12 May 2004
|Posted: Sun Mar 10, 2019 3:26 am Post subject: [ GLSA 201903-02 ] Zsh
|Gentoo Linux Security Advisory
Title: Zsh: User-assisted execution of arbitrary code (GLSA 201903-02)
Exploitable: local, remote
Input validation errors in Zsh could result in arbitrary code
A shell designed for interactive use, although it is also a powerful
Vulnerable: < 5.6
Unaffected: >= 5.6
Architectures: All supported architectures
Two input validation errors have been discovered in how Zsh parses
- Parsing a malformed shebang line could cause Zsh to call a program
listed in the second line (CVE-2018-0502)
- Shebang lines longer than 64 characters are truncated
An attacker could entice a user to execute a specially crafted script
using Zsh, possibly resulting in execution of arbitrary code with the
privileges of the process.
There is no known workaround at this time.
All Zsh users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=app-shells/zsh-5.6"