diff options
| -rw-r--r-- | debian/patches/CVE-2018-1071.patch | 34 | ||||
| -rw-r--r-- | debian/patches/CVE-2018-1083.patch | 37 | ||||
| -rw-r--r-- | debian/patches/series | 2 |
3 files changed, 73 insertions, 0 deletions
diff --git a/debian/patches/CVE-2018-1071.patch b/debian/patches/CVE-2018-1071.patch new file mode 100644 index 000000000..89ca5853f --- /dev/null +++ b/debian/patches/CVE-2018-1071.patch @@ -0,0 +1,34 @@ +Description: CVE-2018-1071 + Check bounds when copying path in hashcmd(). +Origin: 679b71ec4d852037fe5f73d35bf557b0f406c8d4 +Author: Oliver Kiddle <okiddle@yahoo.co.uk> +Bug-Debian: https://bugs.debian.org/894043 +Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1083 + +--- a/Src/exec.c ++++ b/Src/exec.c +@@ -920,7 +920,7 @@ + for (; *pp; pp++) + if (**pp == '/') { + s = buf; +- strucpy(&s, *pp); ++ struncpy(&s, *pp, PATH_MAX); + *s++ = '/'; + if ((s - buf) + strlen(arg0) >= PATH_MAX) + continue; +--- a/Src/utils.c ++++ b/Src/utils.c +@@ -2283,10 +2283,10 @@ + { + char *u = *s; + +- while (n--) +- *u++ = *t++; ++ while (n-- && (*u++ = *t++)); + *s = u; +- *u = '\0'; ++ if (n > 0) /* just one null-byte will do, unlike strncpy(3) */ ++ *u = '\0'; + } + + /* Return the number of elements in an array of pointers. * diff --git a/debian/patches/CVE-2018-1083.patch b/debian/patches/CVE-2018-1083.patch new file mode 100644 index 000000000..3e30c3cbd --- /dev/null +++ b/debian/patches/CVE-2018-1083.patch @@ -0,0 +1,37 @@ +Description: CVE-2018-1083 + Check bounds on PATH_MAX-sized buffer used for file completion + candidates. +Origin: 259ac472eac291c8c103c7a0d8a4eaf3c2942ed7 +Author: Oliver Kiddle <okiddle@yahoo.co.uk> +Bug-Debian: https://bugs.debian.org/894043 +Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1083 + +--- a/Src/Zle/compctl.c ++++ b/Src/Zle/compctl.c +@@ -2176,6 +2176,8 @@ gen_matches_files(int dirs, int execs, int all) + if (prpre && *prpre) { + pathpref = dupstring(prpre); + unmetafy(pathpref, &pathpreflen); ++ if (pathpreflen > PATH_MAX) ++ return; + /* system needs NULL termination, not provided by unmetafy */ + pathpref[pathpreflen] = '\0'; + } else { +@@ -2218,6 +2220,8 @@ gen_matches_files(int dirs, int execs, int all) + * the path buffer by appending the filename. */ + ums = dupstring(n); + unmetafy(ums, ¨en); ++ if (umlen + pathpreflen + 1 > PATH_MAX) ++ continue; + memcpy(q, ums, umlen); + q[umlen] = '\0'; + /* And do the stat. */ +@@ -2232,6 +2236,8 @@ gen_matches_files(int dirs, int execs, int all) + /* We have to test for a path suffix. */ + int o = strlen(p), tt; + ++ if (o + strlen(psuf) > PATH_MAX) ++ continue; + /* Append it to the path buffer. */ + strcpy(p + o, psuf); + diff --git a/debian/patches/series b/debian/patches/series index cb6fdacc2..d05bc6244 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,4 @@ further-mitigate-test-suite-hangs.patch update-debian-sections.patch +CVE-2018-1071.patch +CVE-2018-1083.patch |