main/zsh: fix CVE-2018-1071, CVE-2018-1083

3 files changed, 93 insertions, 6 deletions

diff --git a/main/zsh/APKBUILD b/main/zsh/APKBUILD
index 760c1263c0..fded886cde 100644
--- a/main/zsh/APKBUILD
+++ b/main/zsh/APKBUILD
@@ -1,8 +1,14 @@
 # Contributor: <kalonji@gmail.com>
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
+#
+# secfixes:
+#   5.2-r2:
+#     - CVE-2018-1083
+#     - CVE-2018-1071
+#
 pkgname=zsh
 pkgver=5.2
-pkgrel=1
+pkgrel=2
 pkgdesc="A very advanced and programmable command interpreter (shell)"
 url="http://www.zsh.org/"
 arch="all"
@@ -10,9 +16,11 @@ license="BSD"
 depends=
 makedepends=ncurses-dev
 install="zsh.post-install zsh.post-upgrade zsh.pre-deinstall"
-source="http://www.zsh.org/pub/$pkgname-$pkgver.tar.xz
+source="http://www.zsh.org/pub/old/$pkgname-$pkgver.tar.xz
 	zprofile
-	fix-zle-segfault.patch"
+	fix-zle-segfault.patch
+	CVE-2018-1071.patch
+	CVE-2018-1083.patch"
 subpackages="$pkgname-doc"
 
 _builddir="$srcdir"/$pkgname-$pkgver
@@ -53,10 +61,16 @@ package() {
 }
 md5sums="afe96fde08b70e23c1cab1ca7a68fb34  zsh-5.2.tar.xz
 a5e93cd6880da04a63fc4fcaaa03987f  zprofile
-1413688affa980b053dd2cdc784f8626  fix-zle-segfault.patch"
+1413688affa980b053dd2cdc784f8626  fix-zle-segfault.patch
+bd6114acb5c860221caa33474f39ca8b  CVE-2018-1071.patch
+d19a32cdbbd7552df2b25c41dc1c0f4c  CVE-2018-1083.patch"
 sha256sums="f17916320ffaa844bbd7ce48ceeb5945fc5f3eff64b149b4229bbfbdf3795a9d  zsh-5.2.tar.xz
 e3c3625d966c8277274798f26241857df5fc520e18674deba6cc356f6b022d63  zprofile
-7b8bfec6f7c0df6954eb27a000ff1d077e37a1ec9fd9f37c247a53922cf0c9be  fix-zle-segfault.patch"
+7b8bfec6f7c0df6954eb27a000ff1d077e37a1ec9fd9f37c247a53922cf0c9be  fix-zle-segfault.patch
+06ef561b4d1f174625971643ea54cbf75335fe456110f8a26b764b78b37285e9  CVE-2018-1071.patch
+d53d8db4abf80e262ae48da56cd103881521e94fa25bac5573617cbbed06e76c  CVE-2018-1083.patch"
 sha512sums="9938af95e09203a0a313f441e0c23279136806f6f087475ca9a66c678c57ecffc87f73ece8133a36700af8de7cb5d1bec8559eabdec2b66102062e64026c2e72  zsh-5.2.tar.xz
 59182b99447872ded8adf0d890e9359ee47fce0b7acb2808f4308f945885fbf6d977a0917bbb5c0f21454caf3ba06ab092127732da4f84292d6ab0989a0110fe  zprofile
-f17016b4cb95932caabdfca273696f4a444f1e45c8e7d458db54ae12542fce87bdd6fc6c4cd070948041f50760389179c69c12296665b7b9651007faafbdbee7  fix-zle-segfault.patch"
+f17016b4cb95932caabdfca273696f4a444f1e45c8e7d458db54ae12542fce87bdd6fc6c4cd070948041f50760389179c69c12296665b7b9651007faafbdbee7  fix-zle-segfault.patch
+9e645c31ace8e255a3859fe732572be7e4f7bde025c17f0cc4cdfedfc5ffb30b42e5051162efcb2f58bb89e92701dab0528fa3157faf2445aca3cec3d85e1da8  CVE-2018-1071.patch
+4e4c3c67c4ce73607d735e99884ca2ef833f4f8859f30882b69bf6e785f99a4637c0650f6a8d474e0f3d86f7400499557a04c327990ef999c1aedca598e13848  CVE-2018-1083.patch"
diff --git a/main/zsh/CVE-2018-1071.patch b/main/zsh/CVE-2018-1071.patch
new file mode 100644
index 0000000000..8cb7fb2a54
--- /dev/null
+++ b/main/zsh/CVE-2018-1071.patch
@@ -0,0 +1,37 @@
+From 679b71ec4d852037fe5f73d35bf557b0f406c8d4 Mon Sep 17 00:00:00 2001
+From: Oliver Kiddle <okiddle@yahoo.co.uk>
+Date: Sat, 24 Mar 2018 15:02:41 +0100
+Subject: [PATCH] 42518, CVE-2018-1071: check bounds when copying path in
+ hashcmd()
+
+diff --git a/Src/exec.c b/Src/exec.c
+index 35b0bb191..e154d1249 100644
+--- a/Src/exec.c
++++ b/Src/exec.c
+@@ -920,7 +920,7 @@ hashcmd(char *arg0, char **pp)
+     for (; *pp; pp++)
+ 	if (**pp == '/') {
+ 	    s = buf;
+-	    strucpy(&s, *pp);
++	    struncpy(&s, *pp, PATH_MAX);
+ 	    *s++ = '/';
+ 	    if ((s - buf) + strlen(arg0) >= PATH_MAX)
+ 		continue;
+diff --git a/Src/utils.c b/Src/utils.c
+index 3b589aa35..998b16220 100644
+--- a/Src/utils.c
++++ b/Src/utils.c
+@@ -2283,10 +2283,10 @@ struncpy(char **s, char *t, int n)
+ {
+     char *u = *s;
+ 
+-    while (n--)
+-	*u++ = *t++;
++    while (n-- && (*u++ = *t++));
+     *s = u;
+-    *u = '\0';
++    if (n > 0) /* just one null-byte will do, unlike strncpy(3) */
++	*u = '\0';
+ }
+ 
+ /* Return the number of elements in an array of pointers. *
diff --git a/main/zsh/CVE-2018-1083.patch b/main/zsh/CVE-2018-1083.patch
new file mode 100644
index 0000000000..104ba1fc58
--- /dev/null
+++ b/main/zsh/CVE-2018-1083.patch
@@ -0,0 +1,36 @@
+From 259ac472eac291c8c103c7a0d8a4eaf3c2942ed7 Mon Sep 17 00:00:00 2001
+From: Oliver Kiddle <okiddle@yahoo.co.uk>
+Date: Sat, 24 Mar 2018 15:04:39 +0100
+Subject: [PATCH] 42519, CVE-2018-1083: check bounds on PATH_MAX-sized buffer
+ used for file completion candidates
+
+diff --git a/Src/Zle/compctl.c b/Src/Zle/compctl.c
+index e9d165780..87d13afc1 100644
+--- a/Src/Zle/compctl.c
++++ b/Src/Zle/compctl.c
+@@ -2176,6 +2176,8 @@ gen_matches_files(int dirs, int execs, int all)
+     if (prpre && *prpre) {
+ 	pathpref = dupstring(prpre);
+ 	unmetafy(pathpref, &pathpreflen);
++	if (pathpreflen > PATH_MAX)
++	    return;
+ 	/* system needs NULL termination, not provided by unmetafy */
+ 	pathpref[pathpreflen] = '\0';
+     } else {
+@@ -2218,6 +2220,8 @@ gen_matches_files(int dirs, int execs, int all)
+ 		     * the path buffer by appending the filename.       */
+ 		    ums = dupstring(n);
+ 		    unmetafy(ums, &umlen);
++		    if (umlen + pathpreflen + 1 > PATH_MAX)
++			continue;
+ 		    memcpy(q, ums, umlen);
+ 		    q[umlen] = '\0';
+ 		    /* And do the stat. */
+@@ -2232,6 +2236,8 @@ gen_matches_files(int dirs, int execs, int all)
+ 			/* We have to test for a path suffix. */
+ 			int o = strlen(p), tt;
+ 
++			if (o + strlen(psuf) > PATH_MAX)
++			    continue;
+ 			/* Append it to the path buffer. */
+ 			strcpy(p + o, psuf);