Zsh: User-assisted execution of arbitrary code — GLSA 201903-02

Input validation errors in Zsh could result in arbitrary code execution.

Affected Packages

app-shells/zsh on all architectures
Affected versions < 5.6
Unaffected versions >= 5.6

Background

A shell designed for interactive use, although it is also a powerful scripting language.

Description

Two input validation errors have been discovered in how Zsh parses scripts:

  • Parsing a malformed shebang line could cause Zsh to call a program listed in the second line (CVE-2018-0502)
  • Shebang lines longer than 64 characters are truncated (CVE-2018-13259)

Impact

An attacker could entice a user to execute a specially crafted script using Zsh, possibly resulting in execution of arbitrary code with the privileges of the process.

Workaround

There is no known workaround at this time.

Resolution

All Zsh users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=app-shells/zsh-5.6"
 

References

Release Date
March 10, 2019

Latest Revision
March 10, 2019: 1

Severity
normal

Exploitable
local, remote

Bugzilla entries