ASA-201809-3 generated external raw

[ASA-201809-3] zsh: insufficient validation
Arch Linux Security Advisory ASA-201809-3 ========================================= Severity: Low Date : 2018-09-24 CVE-ID : CVE-2018-0502 CVE-2018-13259 Package : zsh Type : insufficient validation Remote : No Link : https://security.archlinux.org/AVG-764 Summary ======= The package zsh before version 5.6-1 is vulnerable to insufficient validation. Resolution ========== Upgrade to 5.6-1. # pacman -Syu "zsh>=5.6-1" The problems have been fixed upstream in version 5.6. Workaround ========== None. Description =========== - CVE-2018-0502 (insufficient validation) An issue was discovered in zsh before 5.6. The beginning of a #! script file was mishandled, potentially leading to an execve call to a program named on the second line. - CVE-2018-13259 (insufficient validation) An issue was discovered in zsh before 5.6. Shebang lines exceeding 64 characters were truncated, potentially leading to an execve call to a program name that is a substring of the intended one. Impact ====== A local attacker is able to execute arbitrary commands via a specially crafted shell script. References ========== https://www.zsh.org/mla/zsh-announce/136 https://bugs.debian.org/908000 https://sourceforge.net/p/zsh/code/ci/1c4c7b6a4d17294df028322b70c53803a402233d https://security.archlinux.org/CVE-2018-0502 https://security.archlinux.org/CVE-2018-13259