{"affected":[{"ecosystem_specific":{"binaries":[{"zsh":"5.0.5-6.7.2"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Desktop 12 SP3","name":"zsh","purl":"pkg:rpm/suse/zsh&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"5.0.5-6.7.2"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"zsh":"5.0.5-6.7.2"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server 12 SP3","name":"zsh","purl":"pkg:rpm/suse/zsh&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"5.0.5-6.7.2"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"zsh":"5.0.5-6.7.2"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server for SAP Applications 12 SP3","name":"zsh","purl":"pkg:rpm/suse/zsh&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"5.0.5-6.7.2"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for zsh fixes the following issues:\n\n  - CVE-2014-10070: environment variable injection could lead to local privilege escalation (bnc#1082885)\n\n  - CVE-2014-10071: buffer overflow in exec.c could lead to denial of service. (bnc#1082977)\n\n  - CVE-2014-10072: buffer overflow In utils.c when scanning \nvery long directory paths for symbolic links. (bnc#1082975)\n\n  - CVE-2016-10714: In zsh before 5.3, an off-by-one error resulted in \nundersized buffers that were intended to support PATH_MAX characters. (bnc#1083250)\n\n  - CVE-2017-18205: In builtin.c when sh compatibility mode is used, a NULL pointer dereference \ncould lead to denial of service (bnc#1082998)\n\n  - CVE-2018-1071: exec.c:hashcmd() function vulnerability could lead to denial of service. (bnc#1084656)\n \n  - CVE-2018-1083: Autocomplete vulnerability could lead to privilege escalation. (bnc#1087026)\n\n  - CVE-2018-7549: In params.c in zsh through 5.4.2, there is a crash during a copy of an empty hash table, \nas demonstrated by typeset -p. (bnc#1082991)\n  \n  - CVE-2017-18206: buffer overrun in xsymlinks could lead to denial of service (bnc#1083002)\n    \n  - Autocomplete and REPORTTIME broken (bsc#896914)\n\n","id":"SUSE-SU-2018:1072-1","modified":"2018-04-25T12:15:43Z","published":"2018-04-25T12:15:43Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2018/suse-su-20181072-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1082885"},{"type":"REPORT","url":"https://bugzilla.suse.com/1082975"},{"type":"REPORT","url":"https://bugzilla.suse.com/1082977"},{"type":"REPORT","url":"https://bugzilla.suse.com/1082991"},{"type":"REPORT","url":"https://bugzilla.suse.com/1082998"},{"type":"REPORT","url":"https://bugzilla.suse.com/1083002"},{"type":"REPORT","url":"https://bugzilla.suse.com/1083250"},{"type":"REPORT","url":"https://bugzilla.suse.com/1084656"},{"type":"REPORT","url":"https://bugzilla.suse.com/1087026"},{"type":"REPORT","url":"https://bugzilla.suse.com/896914"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2014-10070"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2014-10071"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2014-10072"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2016-10714"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-18205"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-18206"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-1071"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-1083"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-7549"}],"related":["CVE-2014-10070","CVE-2014-10071","CVE-2014-10072","CVE-2016-10714","CVE-2017-18205","CVE-2017-18206","CVE-2018-1071","CVE-2018-1083","CVE-2018-7549"],"summary":"Security update for zsh","upstream":["CVE-2014-10070","CVE-2014-10071","CVE-2014-10072","CVE-2016-10714","CVE-2017-18205","CVE-2017-18206","CVE-2018-1071","CVE-2018-1083","CVE-2018-7549"]}