Bug 1082885 (CVE-2014-10070)

Summary:	VUL-0: CVE-2014-10070: zsh: privilege escalation via environment variables
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Andreas Stieger <astieger>
Component:	Incidents	Assignee:	Paolo Perego <paolo.perego>
Status:	NEW ---	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	abergmann, ismail, karol, sweet_f_a
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/200857/
Whiteboard:	CVSSv3:SUSE:CVE-2014-10070:8.6:(AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Andreas Stieger 2018-02-26 17:52:59 UTC

fixed in zsh 5.0.7: 

Contains a security fix to disallow evaluation of the initial values of integer variables imported from the environment (they are instead treated as literal numbers). That could allow local privilege escalation, under some specific and atypical conditions where zsh is being invoked in privilege elevation contexts when the environment has not been properly sanitized, such as when zsh is invoked by sudo on systems where "env_reset" has been disabled.

Comment 1 Andreas Stieger 2018-02-26 18:38:49 UTC

Fix: https://sourceforge.net/p/zsh/code/ci/546203a770cec329e73781c3c8ab1078390aee72
Test: https://sourceforge.net/p/zsh/code/ci/fb707c0acbea8b3e06eb6ff9781481929c67d926

Comment 3 Karol Babioch 2018-02-27 08:22:34 UTC

Test:

env SHLVL=1+RANDOM zsh -f -c 'print $SHLVL'
13957

Expected output: 2

Affected codestreams:
SUSE:SLE-11:Update 
SUSE:SLE-12:Update

Comment 4 Karol Babioch 2018-02-27 12:44:01 UTC

Also affected: SUSE:SLE-10-SP3:Update

Comment 7 Swamp Workflow Management 2018-04-25 16:07:29 UTC

SUSE-SU-2018:1072-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1082885,1082975,1082977,1082991,1082998,1083002,1083250,1084656,1087026,896914
CVE References: CVE-2014-10070,CVE-2014-10071,CVE-2014-10072,CVE-2016-10714,CVE-2017-18205,CVE-2017-18206,CVE-2018-1071,CVE-2018-1083,CVE-2018-7549
Sources used:
SUSE Linux Enterprise Server 12-SP3 (src):    zsh-5.0.5-6.7.2
SUSE Linux Enterprise Desktop 12-SP3 (src):    zsh-5.0.5-6.7.2

Comment 8 Swamp Workflow Management 2018-04-26 22:07:29 UTC

openSUSE-SU-2018:1093-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1082885,1082975,1082977,1082991,1082998,1083002,1083250,1084656,1087026,896914
CVE References: CVE-2014-10070,CVE-2014-10071,CVE-2014-10072,CVE-2016-10714,CVE-2017-18205,CVE-2017-18206,CVE-2018-1071,CVE-2018-1083,CVE-2018-7549
Sources used:
openSUSE Leap 42.3 (src):    zsh-5.0.5-9.3.1

Comment 15 Swamp Workflow Management 2022-03-14 20:19:38 UTC

SUSE-SU-2022:14910-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 1082885,1082975,1082977,1082991,1082998,1083002,1083250,1084656,1087026,1107294,1107296,1163882
CVE References: CVE-2014-10070,CVE-2014-10071,CVE-2014-10072,CVE-2016-10714,CVE-2017-18205,CVE-2017-18206,CVE-2018-0502,CVE-2018-1071,CVE-2018-1083,CVE-2018-13259,CVE-2018-7549,CVE-2019-20044
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    zsh-4.3.6-67.9.8.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    zsh-4.3.6-67.9.8.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    zsh-4.3.6-67.9.8.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    zsh-4.3.6-67.9.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.