CVE-2018-7549 — Improper Input Validation in ZSH

CWE-20 — Improper Input Validation CWE-665 — Improper Initialization8 documents7 sources

Severity

7.5HIGHNVD

OSV7.8

EPSS

0.2%

top 55.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

ZSH Debian ZSH Canonical Ubuntu Linux +3 more

Timeline

PublishedFeb 27

Latest updateMay 14

Description

In params.c in zsh through 5.4.2, there is a crash during a copy of an empty hash table, as demonstrated by typeset -p.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages7 packages

▶debiandebian/zsh< zsh 5.5-1 (bookworm)

▶Debianzsh/zsh< 5.5-1+3

▶Ubuntuzsh/zsh< 5.0.2-3ubuntu6.1+1

▶NVDzsh/zsh5.4.2

▶NVDredhat/enterprise_linux_server7.0

Also affects: Ubuntu Linux 14.04, 16.04, 17.10

Patches

Patch: sourceforge.net ↗Patch: sourceforge.net ↗

🔴Vulnerability Details

GHSA

GHSA-mfcw-g327-phj2: In params↗2022-05-14

▶

OSV

zsh vulnerabilities↗2018-03-08

▶

OSV

CVE-2018-7549: In params↗2018-02-27

▶

📋Vendor Advisories

Ubuntu

Zsh vulnerabilities↗2018-03-08

▶

Debian

CVE-2018-7549: zsh - In params.c in zsh through 5.4.2, there is a crash during a copy of an empty has...↗2018

▶

Red Hat

zsh: crash on copying empty hash table↗2017-12-22

▶

💬Community

Bugzilla

CVE-2018-7549 zsh: crash on copying empty hash table↗2018-02-27

▶