1 files changed, 37 insertions, 0 deletions

diff --git a/debian/patches/CVE-2018-1083.patch b/debian/patches/CVE-2018-1083.patch
new file mode 100644
index 000000000..3e30c3cbd
--- /dev/null
+++ b/debian/patches/CVE-2018-1083.patch
@@ -0,0 +1,37 @@
+Description: CVE-2018-1083
+ Check bounds on PATH_MAX-sized buffer used for file completion
+ candidates.
+Origin: 259ac472eac291c8c103c7a0d8a4eaf3c2942ed7
+Author: Oliver Kiddle <okiddle@yahoo.co.uk>
+Bug-Debian: https://bugs.debian.org/894043
+Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1083
+
+--- a/Src/Zle/compctl.c
++++ b/Src/Zle/compctl.c
+@@ -2176,6 +2176,8 @@ gen_matches_files(int dirs, int execs, int all)
+     if (prpre && *prpre) {
+ 	pathpref = dupstring(prpre);
+ 	unmetafy(pathpref, &pathpreflen);
++	if (pathpreflen > PATH_MAX)
++	    return;
+ 	/* system needs NULL termination, not provided by unmetafy */
+ 	pathpref[pathpreflen] = '\0';
+     } else {
+@@ -2218,6 +2220,8 @@ gen_matches_files(int dirs, int execs, int all)
+ 		     * the path buffer by appending the filename.       */
+ 		    ums = dupstring(n);
+ 		    unmetafy(ums, &umlen);
++		    if (umlen + pathpreflen + 1 > PATH_MAX)
++			continue;
+ 		    memcpy(q, ums, umlen);
+ 		    q[umlen] = '\0';
+ 		    /* And do the stat. */
+@@ -2232,6 +2236,8 @@ gen_matches_files(int dirs, int execs, int all)
+ 			/* We have to test for a path suffix. */
+ 			int o = strlen(p), tt;
+ 
++			if (o + strlen(psuf) > PATH_MAX)
++			    continue;
+ 			/* Append it to the path buffer. */
+ 			strcpy(p + o, psuf);
+