File CVE-2018-1100.patch of Package zsh.23099
diff --color -ruN zsh-5.0.5.ori/ChangeLog zsh-5.0.5.new/ChangeLog
--- zsh-5.0.5.ori/ChangeLog 2022-03-01 11:47:55.938370028 +0100
+++ zsh-5.0.5.new/ChangeLog 2022-03-01 11:48:58.422878878 +0100
@@ -3,6 +3,11 @@
* Oliver Kiddle: security/41: Src/prompt.c: Prevent recursive
PROMPT_SUBST
+2018-04-07 Oliver Kiddle <okiddle@yahoo.co.uk>
+
+ * 42607, CVE-2018-1100: Src/utils.c: check bounds on buffer
+ in mail checking
+
2014-01-05 Peter Stephenson <p.w.stephenson@ntlworld.com>
* unposted: Config/version.mk, Doc/Zsh/compsys.yo: update
diff --color -ruN zsh-5.0.5.ori/Src/utils.c zsh-5.0.5.new/Src/utils.c
--- zsh-5.0.5.ori/Src/utils.c 2022-03-01 11:46:13.025531955 +0100
+++ zsh-5.0.5.new/Src/utils.c 2022-03-01 11:50:55.687833863 +0100
@@ -900,7 +900,7 @@
/*
* See if a path has a named directory as its prefix.
- * If passed a NULL argument, it will invalidate any
+ * If passed a NULL argument, it will invalidate any
* cached information.
*
* s here is metafied.
@@ -1423,7 +1423,7 @@
LinkList l;
DIR *lock = opendir(unmeta(*s));
char buf[PATH_MAX * 2 + 1], **arr, **ap;
- int ct = 1;
+ int buflen, ct = 1;
if (lock) {
char *fn;
@@ -1432,9 +1432,11 @@
l = newlinklist();
while ((fn = zreaddir(lock, 1)) && !errflag) {
if (u)
- sprintf(buf, "%s/%s?%s", *s, fn, u);
+ buflen = snprintf(buf, sizeof(buf), "%s/%s?%s", *s, fn, u);
else
- sprintf(buf, "%s/%s", *s, fn);
+ buflen = snprintf(buf, sizeof(buf), "%s/%s", *s, fn);
+ if (buflen < 0 || buflen >= (int)sizeof(buf))
+ continue;
addlinknode(l, dupstring(buf));
ct++;
}
@@ -4128,7 +4130,7 @@
char *p;
const char *t;
int newsz, meta;
-
+
meta = 0;
for (t = file_name; *t; t++) {
if (*t == Meta)
@@ -4751,7 +4753,7 @@
* If e is non-zero, the
* pointer it points to may point to a position in s and in e the position
* of the corresponding character in the quoted string is returned.
- *
+ *
* The last argument is a QT_ value defined in zsh.h other than QT_NONE.
*
* Most quote styles other than backslash assume the quotes are to
