Vulnerabilities > CVE-2018-0502 - Improper Input Validation vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
An issue was discovered in zsh before 5.6. The beginning of a #! script file was mishandled, potentially leading to an execve call to a program named on the second line.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Server Side Include (SSI) Injection An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
- Cross Zone Scripting An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
- Cross Site Scripting through Log Files An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
- Command Line Execution through SQL Injection An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-2686-1.NASL description This update for zsh to version 5.6 fixes the following security issues : CVE-2018-0502: The beginning of a #! script file was mishandled, potentially leading to an execve call to a program named on the second line (bsc#1107296). CVE-2018-13259: Shebang lines exceeding 64 characters were truncated, potentially leading to an execve call to a program name that is a substring of the intended one (bsc#1107294). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-19 modified 2019-01-02 plugin id 120096 published 2019-01-02 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120096 title SUSE SLED15 / SLES15 Security Update : zsh (SUSE-SU-2018:2686-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2018:2686-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(120096); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/18"); script_cve_id("CVE-2018-0502", "CVE-2018-13259"); script_name(english:"SUSE SLED15 / SLES15 Security Update : zsh (SUSE-SU-2018:2686-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for zsh to version 5.6 fixes the following security issues : CVE-2018-0502: The beginning of a #! script file was mishandled, potentially leading to an execve call to a program named on the second line (bsc#1107296). CVE-2018-13259: Shebang lines exceeding 64 characters were truncated, potentially leading to an execve call to a program name that is a substring of the intended one (bsc#1107294). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1107294" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1107296" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-0502/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-13259/" ); # https://www.suse.com/support/update/announcement/2018/suse-su-20182686-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?60ddd737" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or 'zypper patch'. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Module for Basesystem 15:zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-1880=1" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:zsh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:zsh-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:zsh-debugsource"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:15"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/09/05"); script_set_attribute(attribute:"patch_publication_date", value:"2018/09/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/02"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLED15|SLES15)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED15 / SLES15", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES15" && (! preg(pattern:"^(0)$", string:sp))) audit(AUDIT_OS_NOT, "SLES15 SP0", os_ver + " SP" + sp); if (os_ver == "SLED15" && (! preg(pattern:"^(0)$", string:sp))) audit(AUDIT_OS_NOT, "SLED15 SP0", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES15", sp:"0", reference:"zsh-5.6-3.6.1")) flag++; if (rpm_check(release:"SLES15", sp:"0", reference:"zsh-debuginfo-5.6-3.6.1")) flag++; if (rpm_check(release:"SLES15", sp:"0", reference:"zsh-debugsource-5.6-3.6.1")) flag++; if (rpm_check(release:"SLED15", sp:"0", reference:"zsh-5.6-3.6.1")) flag++; if (rpm_check(release:"SLED15", sp:"0", reference:"zsh-debuginfo-5.6-3.6.1")) flag++; if (rpm_check(release:"SLED15", sp:"0", reference:"zsh-debugsource-5.6-3.6.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "zsh"); }
NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-1094.NASL description This update for zsh to version 5.6.2 fixes the following issues : These security issues were fixed : - CVE-2018-0502: The beginning of a #! script file was mishandled, potentially leading to an execve call to a program named on the second line (bsc#1107296) - CVE-2018-13259: Shebang lines exceeding 64 characters were truncated, potentially leading to an execve call to a program name that is a substring of the intended one (bsc#1107294) - CVE-2018-1100: Prevent stack-based buffer overflow in the utils.c:checkmailpath function that allowed local attackers to execute arbitrary code in the context of another user (bsc#1089030). - CVE-2018-1071: Prevent stack-based buffer overflow in the exec.c:hashcmd() function that allowed local attackers to cause a denial of service (bsc#1084656). - CVE-2018-1083: Prevent buffer overflow in the shell autocomplete functionality that allowed local unprivileged users to create a specially crafted directory path which lead to code execution in the context of the user who tries to use autocomplete to traverse the mentioned path (bsc#1087026). - Disallow evaluation of the initial values of integer variables imported from the environment These non-security issues were fixed : - Fixed that the signal SIGWINCH was being ignored when zsh is not in the foreground. - Fixed two regressions with pipelines getting backgrounded and emitting the signal SIGTTOU - The effect of the NO_INTERACTIVE_COMMENTS option extends into $(...) and `...` command substitutions when used on the command line. - The last seen 2020-06-05 modified 2018-10-03 plugin id 117898 published 2018-10-03 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117898 title openSUSE Security Update : zsh (openSUSE-2018-1094) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2018-1094. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(117898); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2018-0502", "CVE-2018-1071", "CVE-2018-1083", "CVE-2018-1100", "CVE-2018-13259"); script_name(english:"openSUSE Security Update : zsh (openSUSE-2018-1094)"); script_summary(english:"Check for the openSUSE-2018-1094 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for zsh to version 5.6.2 fixes the following issues : These security issues were fixed : - CVE-2018-0502: The beginning of a #! script file was mishandled, potentially leading to an execve call to a program named on the second line (bsc#1107296) - CVE-2018-13259: Shebang lines exceeding 64 characters were truncated, potentially leading to an execve call to a program name that is a substring of the intended one (bsc#1107294) - CVE-2018-1100: Prevent stack-based buffer overflow in the utils.c:checkmailpath function that allowed local attackers to execute arbitrary code in the context of another user (bsc#1089030). - CVE-2018-1071: Prevent stack-based buffer overflow in the exec.c:hashcmd() function that allowed local attackers to cause a denial of service (bsc#1084656). - CVE-2018-1083: Prevent buffer overflow in the shell autocomplete functionality that allowed local unprivileged users to create a specially crafted directory path which lead to code execution in the context of the user who tries to use autocomplete to traverse the mentioned path (bsc#1087026). - Disallow evaluation of the initial values of integer variables imported from the environment These non-security issues were fixed : - Fixed that the signal SIGWINCH was being ignored when zsh is not in the foreground. - Fixed two regressions with pipelines getting backgrounded and emitting the signal SIGTTOU - The effect of the NO_INTERACTIVE_COMMENTS option extends into $(...) and `...` command substitutions when used on the command line. - The 'exec' and 'command' precommand modifiers, and options to them, are now parsed after parameter expansion. - Functions executed by ZLE widgets no longer have their standard input closed, but redirected from /dev/null instead. - There is an option WARN_NESTED_VAR, a companion to the existing WARN_CREATE_GLOBAL that causes a warning if a function updates a variable from an enclosing scope without using typeset -g. - zmodload now has an option -s to be silent on a failure to find a module but still print other errors. - Fix typo in chflags completion - Fixed invalid git commands completion - VCS info system: vcs_info git: Avoid a fork. - Fix handling of 'printf -' and 'printf --' - fix broken completion for filterdiff (boo#1019130) - Unicode9 support, this needs support from your terminal to work correctly. - The new word modifier ':P' computes the physical path of the argument. - The output of 'typeset -p' uses 'export' commands or the '-g' option for parameters that are not local to the current scope. - vi-repeat-change can repeat user-defined widgets if the widget calls zle -f vichange. - The parameter $registers now makes the contents of vi register buffers available to user-defined widgets. - New vi-up-case and vi-down-case builtin widgets bound to gU/gu (or U/u in visual mode) for doing case conversion. - A new select-word-match function provides vim-style text objects with configurable word boundaries using the existing match-words-by-style mechanism. - Support for the conditional expression [[ -v var ]] to test if a variable is set for compatibility with other shells. - The print and printf builtins have a new option -v to assign the output to a variable. - New x: syntax in completion match specifications make it possible to disable match specifications hardcoded in completion functions. - Re-add custom zshrc and zshenv to unbreak compatibility with old usage (boo#998858). - Read /etc/profile as zsh again. - The new module zsh/param/private can be loaded to allow the shell to define parameters that are private to a function scope (i.e. are not propagated to nested functions called within this function). - The GLOB_STAR_SHORT option allows the pattern **/* to be shortened to just ** if no / follows. so **.c searches recursively for a file whose name has the suffix '.c'. - The effect of the WARN_CREATE_GLOBAL option has been significantly extended, so expect it to cause additional warning messages about parameters created globally within function scope. - The print builtin has new options -x and -X to expand tabs. - Several new command completions and numerous updates to others. - Options to 'fc' to segregate internal and shared history. - All emulations including 'sh' use multibyte by default; several repairs to multibyte handling. - ZLE supports 'bracketed paste' mode to avoid interpreting pasted newlines as accept-line. Pastes can be highlighted for visibility and to make it more obvious whether accept-line has occurred. - Improved (though still not perfect) POSIX compatibility for getopts builtin when POSIX_BUILTINS is set. - New setopt APPEND_CREATE for POSIX-compatible NO_CLOBBER behavior. - Completion of date values now displays in a calendar format when the complist module is available. Controllable by zstyle. - New parameter UNDO_LIMIT_NO for more control over ZLE undo repeat. - Several repairs/improvements to the contributed narrow-to-region ZLE function. - Many changes to child-process and signal handling to eliminate race conditions and avoid deadlocks on descriptor and memory management. - New builtin sysopen in zsh/system module for detailed control of file descriptor modes. - Fix a printf regression boo#934175 - Global aliases can be created for syntactic tokens such as command separators (';', '&', '|', '&&', '||'), redirection operators, etc. - There have been various further improvements to builtin handling with the POSIX_BUILTINS option (off by default) for compatibility with the POSIX standard. - 'whence -v' is now more informative, and 'whence -S' shows you how a full chain of symbolic links resolves to a command. - The 'p' parameter flag now allows an argument to be specified as a reference to a variable, e.g. $((ps.$sep.)foo) to split $foo on a string given by $sep. - The option FORCE_FLOAT now forces variables, not just constants, to floating point in arithmetic expressions. - The type of an assignment in arithmetic expressions, e.g. the type seen by the variable res in $(( res = a = b )), is now more logical and C-like. - The default binding of 'u' in vi command mode has changed to undo multiple changes when invoked repeatedly. '^R' is now bound to redo changes. To revert to toggling of the last edit use: bindkey -a u vi-undo-change - Compatibility with Vim has been improved for vi editing mode. Most notably, Vim style text objects are supported and the region can be manipulated with vi commands in the same manner as Vim's visual mode. - Elements of the watch variable may now be patterns. - The logic for retrying history locking has been improved. - Fix openSUSE versions in osc completion - Add back rpm completion file (boo#900424)" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1019130" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1084656" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1087026" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1089030" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1107294" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1107296" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=900424" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=934175" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=998858" ); script_set_attribute(attribute:"solution", value:"Update the affected zsh packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:zsh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:zsh-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:zsh-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:zsh-htmldoc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/03/09"); script_set_attribute(attribute:"patch_publication_date", value:"2018/10/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/10/03"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.3", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE42.3", reference:"zsh-5.6.2-9.6.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"zsh-debuginfo-5.6.2-9.6.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"zsh-debugsource-5.6.2-9.6.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"zsh-htmldoc-5.6.2-9.6.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "zsh / zsh-debuginfo / zsh-debugsource / zsh-htmldoc"); }
NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-1018.NASL description This update for zsh to version 5.6 fixes the following security issues : - CVE-2018-0502: The beginning of a #! script file was mishandled, potentially leading to an execve call to a program named on the second line (bsc#1107296). - CVE-2018-13259: Shebang lines exceeding 64 characters were truncated, potentially leading to an execve call to a program name that is a substring of the intended one (bsc#1107294). This update was imported from the SUSE:SLE-15:Update update project. last seen 2020-06-05 modified 2018-09-17 plugin id 117525 published 2018-09-17 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117525 title openSUSE Security Update : zsh (openSUSE-2018-1018) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2018-1018. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(117525); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2018-0502", "CVE-2018-13259"); script_name(english:"openSUSE Security Update : zsh (openSUSE-2018-1018)"); script_summary(english:"Check for the openSUSE-2018-1018 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for zsh to version 5.6 fixes the following security issues : - CVE-2018-0502: The beginning of a #! script file was mishandled, potentially leading to an execve call to a program named on the second line (bsc#1107296). - CVE-2018-13259: Shebang lines exceeding 64 characters were truncated, potentially leading to an execve call to a program name that is a substring of the intended one (bsc#1107294). This update was imported from the SUSE:SLE-15:Update update project." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1107294" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1107296" ); script_set_attribute(attribute:"solution", value:"Update the affected zsh packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:zsh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:zsh-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:zsh-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:zsh-htmldoc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.0"); script_set_attribute(attribute:"patch_publication_date", value:"2018/09/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/09/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE15\.0)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.0", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE15.0", reference:"zsh-5.6-lp150.2.6.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"zsh-debuginfo-5.6-lp150.2.6.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"zsh-debugsource-5.6-lp150.2.6.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"zsh-htmldoc-5.6-lp150.2.6.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "zsh / zsh-debuginfo / zsh-debugsource / zsh-htmldoc"); }
NASL family Amazon Linux Local Security Checks NASL id AL2_ALAS-2018-1089.NASL description An issue was discovered in zsh before 5.6. The beginning of a #! script file was mishandled, potentially leading to an execve call to a program named on the second line.(CVE-2018-0502) It was discovered that zsh does not properly validate the shebang of input files and it truncates it to the first 64 bytes. A local attacker may use this flaw to make zsh execute a different binary than what is expected, named with a substring of the shebang one.(CVE-2018-13259) last seen 2020-06-01 modified 2020-06-02 plugin id 118044 published 2018-10-11 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118044 title Amazon Linux 2 : zsh (ALAS-2018-1089) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Amazon Linux 2 Security Advisory ALAS-2018-1089. # include("compat.inc"); if (description) { script_id(118044); script_version("1.2"); script_cvs_date("Date: 2018/10/29 10:22:57"); script_cve_id("CVE-2018-0502", "CVE-2018-13259"); script_xref(name:"ALAS", value:"2018-1089"); script_name(english:"Amazon Linux 2 : zsh (ALAS-2018-1089)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Amazon Linux 2 host is missing a security update." ); script_set_attribute( attribute:"description", value: "An issue was discovered in zsh before 5.6. The beginning of a #! script file was mishandled, potentially leading to an execve call to a program named on the second line.(CVE-2018-0502) It was discovered that zsh does not properly validate the shebang of input files and it truncates it to the first 64 bytes. A local attacker may use this flaw to make zsh execute a different binary than what is expected, named with a substring of the shebang one.(CVE-2018-13259)" ); script_set_attribute( attribute:"see_also", value:"https://alas.aws.amazon.com/AL2/ALAS-2018-1089.html" ); script_set_attribute( attribute:"solution", value:"Run 'yum update zsh' to update your system." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:zsh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:zsh-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:zsh-html"); script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2"); script_set_attribute(attribute:"patch_publication_date", value:"2018/10/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/10/11"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Amazon Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/AmazonLinux/release"); if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux"); os_ver = pregmatch(pattern: "^AL(A|\d)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux"); os_ver = os_ver[1]; if (os_ver != "2") { if (os_ver == 'A') os_ver = 'AMI'; audit(AUDIT_OS_NOT, "Amazon Linux 2", "Amazon Linux " + os_ver); } if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (rpm_check(release:"AL2", reference:"zsh-5.5.1-2.amzn2.0.1")) flag++; if (rpm_check(release:"AL2", reference:"zsh-debuginfo-5.5.1-2.amzn2.0.1")) flag++; if (rpm_check(release:"AL2", reference:"zsh-html-5.5.1-2.amzn2.0.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "zsh / zsh-debuginfo / zsh-html"); }
NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2235.NASL description According to the versions of the zsh package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - zsh through version 5.4.2 is vulnerable to a stack-based buffer overflow in the exec.c:hashcmd() function. A local attacker could exploit this to cause a denial of service.(CVE-2018-1071) - zsh through version 5.4.2 is vulnerable to a stack-based buffer overflow in the utils.c:checkmailpath function. A local attacker could exploit this to execute arbitrary code in the context of another user.(CVE-2018-1100) - An issue was discovered in zsh before 5.6. The beginning of a #! script file was mishandled, potentially leading to an execve call to a program named on the second line.(CVE-2018-0502) - An issue was discovered in zsh before 5.6. Shebang lines exceeding 64 characters were truncated, potentially leading to an execve call to a program name that is a substring of the intended one.(CVE-2018-13259) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-08 modified 2019-11-08 plugin id 130697 published 2019-11-08 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130697 title EulerOS 2.0 SP5 : zsh (EulerOS-SA-2019-2235) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2459.NASL description According to the versions of the zsh package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An issue was discovered in zsh before 5.6. The beginning of a #! script file was mishandled, potentially leading to an execve call to a program named on the second line.(CVE-2018-0502) - An issue was discovered in zsh before 5.6. Shebang lines exceeding 64 characters were truncated, potentially leading to an execve call to a program name that is a substring of the intended one.(CVE-2018-13259) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-08 modified 2019-12-04 plugin id 131613 published 2019-12-04 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131613 title EulerOS 2.0 SP2 : zsh (EulerOS-SA-2019-2459) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2684.NASL description According to the versions of the zsh package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An issue was discovered in zsh before 5.6. Shebang lines exceeding 64 characters were truncated, potentially leading to an execve call to a program name that is a substring of the intended one.(CVE-2018-13259) - An issue was discovered in zsh before 5.6. The beginning of a #! script file was mishandled, potentially leading to an execve call to a program named on the second line.(CVE-2018-0502) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-08 modified 2019-12-18 plugin id 132219 published 2019-12-18 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132219 title EulerOS 2.0 SP3 : zsh (EulerOS-SA-2019-2684) NASL family Fedora Local Security Checks NASL id FEDORA_2018-5AD8E216D2.NASL description - fix two security issues in shebang line parsing (CVE-2018-0502 CVE-2018-13259) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2019-01-03 plugin id 120450 published 2019-01-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120450 title Fedora 29 : zsh (2018-5ad8e216d2) NASL family Fedora Local Security Checks NASL id FEDORA_2018-16BB8B00C5.NASL description - fix two security issues in shebang line parsing (CVE-2018-0502 CVE-2018-13259) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2019-01-03 plugin id 120251 published 2019-01-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120251 title Fedora 28 : zsh (2018-16bb8b00c5) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2019-2_0-0165_ZSH.NASL description An update of the zsh package has been released. last seen 2020-06-01 modified 2020-06-02 plugin id 126110 published 2019-06-24 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/126110 title Photon OS 2.0: Zsh PHSA-2019-2.0-0165 NASL family Fedora Local Security Checks NASL id FEDORA_2018-8B1B2373B4.NASL description - fix two security issues in shebang line parsing (CVE-2018-0502 CVE-2018-13259) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-09-17 plugin id 117508 published 2018-09-17 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117508 title Fedora 27 : zsh (2018-8b1b2373b4) NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-687.NASL description This update for zsh to version 5.6 fixes the following security issues : - CVE-2018-0502: The beginning of a #! script file was mishandled, potentially leading to an execve call to a program named on the second line (bsc#1107296). - CVE-2018-13259: Shebang lines exceeding 64 characters were truncated, potentially leading to an execve call to a program name that is a substring of the intended one (bsc#1107294). This update was imported from the SUSE:SLE-15:Update update project. last seen 2020-06-01 modified 2020-06-02 plugin id 123297 published 2019-03-27 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123297 title openSUSE Security Update : zsh (openSUSE-2019-687) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201903-02.NASL description The remote host is affected by the vulnerability described in GLSA-201903-02 (Zsh: User-assisted execution of arbitrary code) Two input validation errors have been discovered in how Zsh parses scripts: Parsing a malformed shebang line could cause Zsh to call a program listed in the second line (CVE-2018-0502) Shebang lines longer than 64 characters are truncated (CVE-2018-13259) Impact : An attacker could entice a user to execute a specially crafted script using Zsh, possibly resulting in execution of arbitrary code with the privileges of the process. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 122730 published 2019-03-11 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122730 title GLSA-201903-02 : Zsh: User-assisted execution of arbitrary code NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3764-1.NASL description It was discovered that Zsh incorrectly handled certain scripts. An attacker could possibly use this issue to execute arbitrary code. (CVE-2018-0502, CVE-2018-13259) Richard Maciel Costa discovered that Zsh incorrectly handled certain scripts. An attacker could possibly use this issue to execute arbitrary code. (CVE-2018-1100). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 117456 published 2018-09-12 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117456 title Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : zsh vulnerabilities (USN-3764-1)
References
- https://bugs.debian.org/908000
- https://bugs.debian.org/908000
- https://lists.debian.org/debian-lts-announce/2020/12/msg00000.html
- https://lists.debian.org/debian-lts-announce/2020/12/msg00000.html
- https://security.gentoo.org/glsa/201903-02
- https://security.gentoo.org/glsa/201903-02
- https://sourceforge.net/p/zsh/code/ci/1c4c7b6a4d17294df028322b70c53803a402233d
- https://sourceforge.net/p/zsh/code/ci/1c4c7b6a4d17294df028322b70c53803a402233d
- https://usn.ubuntu.com/3764-1/
- https://usn.ubuntu.com/3764-1/
- https://www.zsh.org/mla/zsh-announce/136
- https://www.zsh.org/mla/zsh-announce/136