Bug 1082885 (CVE-2014-10070)

Summary: VUL-0: CVE-2014-10070: zsh: privilege escalation via environment variables
Product: [Novell Products] SUSE Security Incidents Reporter: Andreas Stieger <astieger>
Component: IncidentsAssignee: Paolo Perego <paolo.perego>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, ismail, karol, sweet_f_a
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/200857/
Whiteboard: CVSSv3:SUSE:CVE-2014-10070:8.6:(AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Andreas Stieger 2018-02-26 17:52:59 UTC
fixed in zsh 5.0.7: 

Contains a security fix to disallow evaluation of the initial values of integer variables imported from the environment (they are instead treated as literal numbers). That could allow local privilege escalation, under some specific and atypical conditions where zsh is being invoked in privilege elevation contexts when the environment has not been properly sanitized, such as when zsh is invoked by sudo on systems where "env_reset" has been disabled.
Comment 3 Karol Babioch 2018-02-27 08:22:34 UTC
Test:

env SHLVL=1+RANDOM zsh -f -c 'print $SHLVL'
13957

Expected output: 2

Affected codestreams:
SUSE:SLE-11:Update 
SUSE:SLE-12:Update
Comment 4 Karol Babioch 2018-02-27 12:44:01 UTC
Also affected: SUSE:SLE-10-SP3:Update
Comment 7 Swamp Workflow Management 2018-04-25 16:07:29 UTC
SUSE-SU-2018:1072-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1082885,1082975,1082977,1082991,1082998,1083002,1083250,1084656,1087026,896914
CVE References: CVE-2014-10070,CVE-2014-10071,CVE-2014-10072,CVE-2016-10714,CVE-2017-18205,CVE-2017-18206,CVE-2018-1071,CVE-2018-1083,CVE-2018-7549
Sources used:
SUSE Linux Enterprise Server 12-SP3 (src):    zsh-5.0.5-6.7.2
SUSE Linux Enterprise Desktop 12-SP3 (src):    zsh-5.0.5-6.7.2
Comment 8 Swamp Workflow Management 2018-04-26 22:07:29 UTC
openSUSE-SU-2018:1093-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1082885,1082975,1082977,1082991,1082998,1083002,1083250,1084656,1087026,896914
CVE References: CVE-2014-10070,CVE-2014-10071,CVE-2014-10072,CVE-2016-10714,CVE-2017-18205,CVE-2017-18206,CVE-2018-1071,CVE-2018-1083,CVE-2018-7549
Sources used:
openSUSE Leap 42.3 (src):    zsh-5.0.5-9.3.1
Comment 15 Swamp Workflow Management 2022-03-14 20:19:38 UTC
SUSE-SU-2022:14910-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 1082885,1082975,1082977,1082991,1082998,1083002,1083250,1084656,1087026,1107294,1107296,1163882
CVE References: CVE-2014-10070,CVE-2014-10071,CVE-2014-10072,CVE-2016-10714,CVE-2017-18205,CVE-2017-18206,CVE-2018-0502,CVE-2018-1071,CVE-2018-1083,CVE-2018-13259,CVE-2018-7549,CVE-2019-20044
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    zsh-4.3.6-67.9.8.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    zsh-4.3.6-67.9.8.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    zsh-4.3.6-67.9.8.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    zsh-4.3.6-67.9.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.