CVE-2014-10071 — Improper Restriction of Operations within the Bounds of a Memory Buffer in ZSH

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-120 — Classic Buffer Overflow CWE-121 — Stack-based Buffer Overflow8 documents7 sources

Severity

9.8CRITICALNVD

OSV7.8

EPSS

0.5%

top 34.92%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

ZSH Debian ZSH Canonical Ubuntu Linux

Timeline

PublishedFeb 27

Latest updateMay 14

Description

In exec.c in zsh before 5.0.7, there is a buffer overflow for very long fds in the ">& fd" syntax.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶NVDzsh/zsh< 5.0.7

▶debiandebian/zsh< zsh 5.0.7-3 (bookworm)

▶Debianzsh/zsh< 5.0.7-3+3

▶Ubuntuzsh/zsh< 5.0.2-3ubuntu6.1+1

Also affects: Ubuntu Linux 14.04, 16.04, 17.10

Patches

Patch: sourceforge.net ↗Patch: sourceforge.net ↗

🔴Vulnerability Details

GHSA

GHSA-fw6p-93fm-p636: In exec↗2022-05-14

▶

OSV

zsh vulnerabilities↗2018-03-08

▶

OSV

CVE-2014-10071: In exec↗2018-02-27

▶

📋Vendor Advisories

Ubuntu

Zsh vulnerabilities↗2018-03-08

▶

Red Hat

zsh: buffer overflow for very long fds in >& fd syntax↗2014-10-06

▶

Debian

CVE-2014-10071: zsh - In exec.c in zsh before 5.0.7, there is a buffer overflow for very long fds in t...↗2014

▶

💬Community

Bugzilla

CVE-2014-10071 zsh: buffer overflow for very long fds in >& fd syntax↗2018-02-27

▶