{"id":"MGASA-2018-0168","summary":"Updated zsh packages fix security vulnerabilities","details":"Zsh has been updated to fix 4 security issues.\n\nIn builtin.c in zsh before 5.4, when sh compatibility mode is used, there is a \nNULL pointer dereference during processing of the cd command with no argument if \nHOME is not set. (CVE-2017-18205)\n\nIn utils.c in zsh before 5.4, symlink expansion had a buffer overflow. \n(CVE-2017-18206)\n\nIn subst.c in zsh through 5.4.2, there is a NULL pointer dereference when using \n${(PA)...} on an empty array result.(CVE-2018-7548)\n\nIn params.c in zsh through 5.4.2, there is a crash during a copy of an empty \nhash table, as demonstrated by typeset -p. (CVE-2018-7549)\n","modified":"2026-04-16T06:25:54.564224800Z","published":"2018-03-14T16:21:20Z","upstream":["CVE-2017-18205","CVE-2017-18206","CVE-2018-7548","CVE-2018-7549"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2018-0168.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=22741"},{"type":"WEB","url":"https://usn.ubuntu.com/3593-1/"}],"affected":[{"package":{"name":"zsh","ecosystem":"Mageia:6","purl":"pkg:rpm/mageia/zsh?arch=source&distro=mageia-6"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.3.1-1.2.mga6"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2018-0168.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}