diff options
| author | Axel Beckert <abe@deuxchevaux.org> | 2018-04-07 15:15:39 +0200 |
|---|---|---|
| committer | Axel Beckert <abe@deuxchevaux.org> | 2018-04-07 15:15:39 +0200 |
| commit | b54a7e5506f19208f8109fe90ef5dffd44ef2fad (patch) | |
| tree | ba9f00a338105e982eadbf060600ca0da0e36899 | |
| parent | 6e1ab9aa550695ee7e3d467b4173c0b83ba7f759 (diff) | |
| download | zsh-b54a7e5506f19208f8109fe90ef5dffd44ef2fad.tar.gz zsh-b54a7e5506f19208f8109fe90ef5dffd44ef2fad.zip | |
Drop cherry-picked patches for CVE-2018-1071 and CVE-2018-1083
| -rw-r--r-- | debian/patches/CVE-2018-1071.patch | 34 | ||||
| -rw-r--r-- | debian/patches/CVE-2018-1083.patch | 37 | ||||
| -rw-r--r-- | debian/patches/series | 2 |
3 files changed, 0 insertions, 73 deletions
diff --git a/debian/patches/CVE-2018-1071.patch b/debian/patches/CVE-2018-1071.patch deleted file mode 100644 index 89ca5853f..000000000 --- a/debian/patches/CVE-2018-1071.patch +++ /dev/null @@ -1,34 +0,0 @@ -Description: CVE-2018-1071 - Check bounds when copying path in hashcmd(). -Origin: 679b71ec4d852037fe5f73d35bf557b0f406c8d4 -Author: Oliver Kiddle <okiddle@yahoo.co.uk> -Bug-Debian: https://bugs.debian.org/894043 -Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1083 - ---- a/Src/exec.c -+++ b/Src/exec.c -@@ -920,7 +920,7 @@ - for (; *pp; pp++) - if (**pp == '/') { - s = buf; -- strucpy(&s, *pp); -+ struncpy(&s, *pp, PATH_MAX); - *s++ = '/'; - if ((s - buf) + strlen(arg0) >= PATH_MAX) - continue; ---- a/Src/utils.c -+++ b/Src/utils.c -@@ -2283,10 +2283,10 @@ - { - char *u = *s; - -- while (n--) -- *u++ = *t++; -+ while (n-- && (*u++ = *t++)); - *s = u; -- *u = '\0'; -+ if (n > 0) /* just one null-byte will do, unlike strncpy(3) */ -+ *u = '\0'; - } - - /* Return the number of elements in an array of pointers. * diff --git a/debian/patches/CVE-2018-1083.patch b/debian/patches/CVE-2018-1083.patch deleted file mode 100644 index 3e30c3cbd..000000000 --- a/debian/patches/CVE-2018-1083.patch +++ /dev/null @@ -1,37 +0,0 @@ -Description: CVE-2018-1083 - Check bounds on PATH_MAX-sized buffer used for file completion - candidates. -Origin: 259ac472eac291c8c103c7a0d8a4eaf3c2942ed7 -Author: Oliver Kiddle <okiddle@yahoo.co.uk> -Bug-Debian: https://bugs.debian.org/894043 -Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1083 - ---- a/Src/Zle/compctl.c -+++ b/Src/Zle/compctl.c -@@ -2176,6 +2176,8 @@ gen_matches_files(int dirs, int execs, int all) - if (prpre && *prpre) { - pathpref = dupstring(prpre); - unmetafy(pathpref, &pathpreflen); -+ if (pathpreflen > PATH_MAX) -+ return; - /* system needs NULL termination, not provided by unmetafy */ - pathpref[pathpreflen] = '\0'; - } else { -@@ -2218,6 +2220,8 @@ gen_matches_files(int dirs, int execs, int all) - * the path buffer by appending the filename. */ - ums = dupstring(n); - unmetafy(ums, ¨en); -+ if (umlen + pathpreflen + 1 > PATH_MAX) -+ continue; - memcpy(q, ums, umlen); - q[umlen] = '\0'; - /* And do the stat. */ -@@ -2232,6 +2236,8 @@ gen_matches_files(int dirs, int execs, int all) - /* We have to test for a path suffix. */ - int o = strlen(p), tt; - -+ if (o + strlen(psuf) > PATH_MAX) -+ continue; - /* Append it to the path buffer. */ - strcpy(p + o, psuf); - diff --git a/debian/patches/series b/debian/patches/series index d05bc6244..cb6fdacc2 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,4 +1,2 @@ further-mitigate-test-suite-hangs.patch update-debian-sections.patch -CVE-2018-1071.patch -CVE-2018-1083.patch |