Bug 1082885 - (CVE-2014-10070) VUL-0: CVE-2014-10070: zsh: privilege escalation via environment variables
(CVE-2014-10070)
VUL-0: CVE-2014-10070: zsh: privilege escalation via environment variables
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Paolo Perego
Security Team bot
https://smash.suse.de/issue/200857/
CVSSv3:SUSE:CVE-2014-10070:8.6:(AV:L...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-02-26 17:52 UTC by Andreas Stieger
Modified: 2022-03-14 20:19 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2018-02-26 17:52:59 UTC
fixed in zsh 5.0.7: 

Contains a security fix to disallow evaluation of the initial values of integer variables imported from the environment (they are instead treated as literal numbers). That could allow local privilege escalation, under some specific and atypical conditions where zsh is being invoked in privilege elevation contexts when the environment has not been properly sanitized, such as when zsh is invoked by sudo on systems where "env_reset" has been disabled.
Comment 3 Karol Babioch 2018-02-27 08:22:34 UTC
Test:

env SHLVL=1+RANDOM zsh -f -c 'print $SHLVL'
13957

Expected output: 2

Affected codestreams:
SUSE:SLE-11:Update 
SUSE:SLE-12:Update
Comment 4 Karol Babioch 2018-02-27 12:44:01 UTC
Also affected: SUSE:SLE-10-SP3:Update
Comment 7 Swamp Workflow Management 2018-04-25 16:07:29 UTC
SUSE-SU-2018:1072-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1082885,1082975,1082977,1082991,1082998,1083002,1083250,1084656,1087026,896914
CVE References: CVE-2014-10070,CVE-2014-10071,CVE-2014-10072,CVE-2016-10714,CVE-2017-18205,CVE-2017-18206,CVE-2018-1071,CVE-2018-1083,CVE-2018-7549
Sources used:
SUSE Linux Enterprise Server 12-SP3 (src):    zsh-5.0.5-6.7.2
SUSE Linux Enterprise Desktop 12-SP3 (src):    zsh-5.0.5-6.7.2
Comment 8 Swamp Workflow Management 2018-04-26 22:07:29 UTC
openSUSE-SU-2018:1093-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1082885,1082975,1082977,1082991,1082998,1083002,1083250,1084656,1087026,896914
CVE References: CVE-2014-10070,CVE-2014-10071,CVE-2014-10072,CVE-2016-10714,CVE-2017-18205,CVE-2017-18206,CVE-2018-1071,CVE-2018-1083,CVE-2018-7549
Sources used:
openSUSE Leap 42.3 (src):    zsh-5.0.5-9.3.1
Comment 15 Swamp Workflow Management 2022-03-14 20:19:38 UTC
SUSE-SU-2022:14910-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 1082885,1082975,1082977,1082991,1082998,1083002,1083250,1084656,1087026,1107294,1107296,1163882
CVE References: CVE-2014-10070,CVE-2014-10071,CVE-2014-10072,CVE-2016-10714,CVE-2017-18205,CVE-2017-18206,CVE-2018-0502,CVE-2018-1071,CVE-2018-1083,CVE-2018-13259,CVE-2018-7549,CVE-2019-20044
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    zsh-4.3.6-67.9.8.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    zsh-4.3.6-67.9.8.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    zsh-4.3.6-67.9.8.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    zsh-4.3.6-67.9.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.