File CVE-2018-1071.patch of Package zsh.23099

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2018-1071.patch of Package zsh.23099

Backported of:

From 679b71ec4d852037fe5f73d35bf557b0f406c8d4 Mon Sep 17 00:00:00 2001
From: Oliver Kiddle <okiddle@yahoo.co.uk>
Date: Sat, 24 Mar 2018 15:02:41 +0100
Subject: [PATCH] 42518, CVE-2018-1071: check bounds when copying path in
 hashcmd()
Index: zsh-5.0.5/Src/exec.c
===================================================================
--- zsh-5.0.5.orig/Src/exec.c
+++ zsh-5.0.5/Src/exec.c
@@ -868,7 +868,7 @@ hashcmd(char *arg0, char **pp)
     for (; *pp; pp++)
 	if (**pp == '/') {
 	    s = buf;
-	    strucpy(&s, *pp);
+	    struncpy(&s, *pp, PATH_MAX);
 	    *s++ = '/';
 	    if ((s - buf) + strlen(arg0) >= PATH_MAX)
 		continue;
Index: zsh-5.0.5/Src/utils.c
===================================================================
--- zsh-5.0.5.orig/Src/utils.c
+++ zsh-5.0.5/Src/utils.c
@@ -2014,10 +2014,10 @@ struncpy(char **s, char *t, int n)
 {
     char *u = *s;
 
-    while (n--)
-	*u++ = *t++;
+    while (n-- && (*u++ = *t++));
     *s = u;
-    *u = '\0';
+    if (n > 0) /* just one null-byte will do, unlike strncpy(3) */
+	*u = '\0';
 }
 
 /* Return the number of elements in an array of pointers. *

Places

File CVE-2018-1071.patch of Package zsh.23099

Places