File CVE-2018-1100.patch of Package zsh

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2018-1100.patch of Package zsh

diff --color -ruN zsh-5.0.5.ori/ChangeLog zsh-5.0.5.new/ChangeLog
--- zsh-5.0.5.ori/ChangeLog	2022-03-01 11:47:55.938370028 +0100
+++ zsh-5.0.5.new/ChangeLog	2022-03-01 11:48:58.422878878 +0100
@@ -3,6 +3,11 @@
 	* Oliver Kiddle: security/41: Src/prompt.c: Prevent recursive
 	PROMPT_SUBST
 
+2018-04-07  Oliver Kiddle  <okiddle@yahoo.co.uk>
+
+	* 42607, CVE-2018-1100: Src/utils.c: check bounds on buffer
+	in mail checking
+
 2014-01-05  Peter Stephenson  <p.w.stephenson@ntlworld.com>
 
 	* unposted: Config/version.mk, Doc/Zsh/compsys.yo: update
diff --color -ruN zsh-5.0.5.ori/Src/utils.c zsh-5.0.5.new/Src/utils.c
--- zsh-5.0.5.ori/Src/utils.c	2022-03-01 11:46:13.025531955 +0100
+++ zsh-5.0.5.new/Src/utils.c	2022-03-01 11:50:55.687833863 +0100
@@ -900,7 +900,7 @@
 
 /*
  * See if a path has a named directory as its prefix.
- * If passed a NULL argument, it will invalidate any 
+ * If passed a NULL argument, it will invalidate any
  * cached information.
  *
  * s here is metafied.
@@ -1423,7 +1423,7 @@
 	    LinkList l;
 	    DIR *lock = opendir(unmeta(*s));
 	    char buf[PATH_MAX * 2 + 1], **arr, **ap;
-	    int ct = 1;
+	    int buflen, ct = 1;
 
 	    if (lock) {
 		char *fn;
@@ -1432,9 +1432,11 @@
 		l = newlinklist();
 		while ((fn = zreaddir(lock, 1)) && !errflag) {
 		    if (u)
-			sprintf(buf, "%s/%s?%s", *s, fn, u);
+                buflen = snprintf(buf, sizeof(buf), "%s/%s?%s", *s, fn, u);
 		    else
-			sprintf(buf, "%s/%s", *s, fn);
+                buflen = snprintf(buf, sizeof(buf), "%s/%s", *s, fn);
+            if (buflen < 0 || buflen >= (int)sizeof(buf))
+                continue;
 		    addlinknode(l, dupstring(buf));
 		    ct++;
 		}
@@ -4128,7 +4130,7 @@
     char *p;
     const char *t;
     int newsz, meta;
-    
+
     meta = 0;
     for (t = file_name; *t; t++) {
 	if (*t == Meta)
@@ -4751,7 +4753,7 @@
  * If e is non-zero, the
  * pointer it points to may point to a position in s and in e the position
  * of the corresponding character in the quoted string is returned.
- * 
+ *
  * The last argument is a QT_ value defined in zsh.h other than QT_NONE.
  *
  * Most quote styles other than backslash assume the quotes are to

Places

File CVE-2018-1100.patch of Package zsh

Places