UbuntuUpdates.org

Package "zsh-static"

Name: zsh-static

Description:

shell with lots of features (static link)

Latest version: 5.4.2-3ubuntu3.2
Release: bionic (18.04)
Level: security
Repository: universe
Head package: zsh
Homepage: https://www.zsh.org/

Links


Download "zsh-static"


Other versions of "zsh-static" in Bionic

Repository Area Version
base universe 5.4.2-3ubuntu3
updates universe 5.4.2-3ubuntu3.2

Changelog

Version: 5.4.2-3ubuntu3.2 2022-03-15 14:06:23 UTC

  zsh (5.4.2-3ubuntu3.2) bionic-security; urgency=medium

  * SECURITY UPDATE: Regain dropped privileges
    - debian/patches/CVE-2019-20044-pre.patch: change the order of the calls to
      setgid (this should go first) and setuid in Src/options.c.
    - debian/patches/CVE-2019-20044-1.patch: add extra checks to drop privileges
      securely in Src/options.c.
    - debian/patches/CVE-2019-20044-2.patch: add Src/openssh_bsd_setres_id.c
      and its object file to Src/zsh.mdd, fix some of the checks from the
      previous patch in Src/options.c, update compatibility wrappers in
      Src/zsh_system.h, update the uid/gid methods in AC_CHECK_FUNCS in
      configure.ac and add a test in Test/E01options.ztst.
    - debian/patches/CVE-2019-20044-3.patch: improve Src/options.c changes from
      above two patches.
    - debian/patches/CVE-2019-20044-4.patch: clean up white spaces in
      Src/options.c.
    - debian/patches/CVE-2019-20044-5.patch: add privileged tests to
      Test/P01privileged.ztst, remove the notes on privileged test in
      Test/E01options.ztst and add the prilived tests to the Test/README.
    - CVE-2019-20044
  * SECURITY UPDATE: Arbitrary code execution
    - debian/patches/CVE-2021-45444.patch: save PROMPTSUBST option before
      the call to promptexpand() in b/Src/prompt.c and restore after it is
      executed.
    - CVE-2021-45444

 -- Rodrigo Figueiredo Zaiden <email address hidden> Fri, 11 Mar 2022 10:46:35 -0300

Source diff to previous version
CVE-2019-20044 In Zsh before 5.8, attackers able to execute commands can regain privileges dropped by the --no-PRIVILEGED option. Zsh fails to overwrite the saved u
CVE-2021-45444 In zsh before 5.8.1, an attacker can achieve code execution if they control a command output inside the prompt, as demonstrated by a %F argument. Thi

Version: 5.4.2-3ubuntu3.1 2018-09-11 21:06:36 UTC

  zsh (5.4.2-3ubuntu3.1) bionic-security; urgency=medium

  * SECURITY UPDATE: Arbitrary code execution
    - debian/patches/CVE-2018-0502-and-CVE-2018-13259.patch:
      fix in Src/exec.c and add test Test/A05execution.ztst.
    - CVE-2018-0502
    - CVE-2018-13259
  * SECURITY UPDATE: Stack-based buffer overflow
    - debian/patches/CVE-2018-1100.patch: fix int Src/utils.c.
    - CVE-2018-1100

 -- <email address hidden> (Leonidas S. Barbosa) Mon, 10 Sep 2018 17:02:52 -0300

CVE-2018-0502 An issue was discovered in zsh before 5.6. The beginning of a #! script file was mishandled, potentially leading to an execve call to a program named
CVE-2018-13259 An issue was discovered in zsh before 5.6. Shebang lines exceeding 64 characters were truncated, potentially leading to an execve call to a program n
CVE-2018-1100 zsh through version 5.4.2 is vulnerable to a stack-based buffer overflow in the utils.c:checkmailpath function. A local attacker could exploit this t



About   -   Send Feedback to @ubuntu_updates