Input validation errors in Zsh could result in arbitrary code execution.
Package | app-shells/zsh on all architectures |
---|---|
Affected versions | < 5.6 |
Unaffected versions | >= 5.6 |
A shell designed for interactive use, although it is also a powerful scripting language.
Two input validation errors have been discovered in how Zsh parses scripts:
An attacker could entice a user to execute a specially crafted script using Zsh, possibly resulting in execution of arbitrary code with the privileges of the process.
There is no known workaround at this time.
All Zsh users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=app-shells/zsh-5.6"
Release date
March 10, 2019
Latest revision
March 10, 2019: 1
Severity
normal
Exploitable
local, remote
Bugzilla entries