Zsh: User-assisted execution of arbitrary code

Zsh: User-assisted execution of arbitrary code Input validation errors in Zsh could result in arbitrary code execution. zsh 2019-03-10 2019-03-10 665278 local, remote 5.6 5.6

A shell designed for interactive use, although it is also a powerful scripting language.

Two input validation errors have been discovered in how Zsh parses scripts:

Parsing a malformed shebang line could cause Zsh to call a program listed in the second line (CVE-2018-0502)
Shebang lines longer than 64 characters are truncated (CVE-2018-13259)

An attacker could entice a user to execute a specially crafted script using Zsh, possibly resulting in execution of arbitrary code with the privileges of the process.

There is no known workaround at this time.

All Zsh users should upgrade to the latest version:


      # emerge --sync
      # emerge --ask --oneshot --verbose ">=app-shells/zsh-5.6"

CVE-2018-0502 CVE-2018-13259 Zlogene ackle