From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 24860 invoked by alias); 25 Sep 2014 17:29:50 -0000 Mailing-List: contact zsh-users-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Users List List-Post: List-Help: X-Seq: 19152 Received: (qmail 26584 invoked from network); 25 Sep 2014 17:29:48 -0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on f.primenet.com.au X-Spam-Level: X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.2 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=0MHpDetC1Eip4KweKaXEKpjUOvWwWXbL3p4x7wEM3CM=; b=IyPjki25nyUWNVwwIqeRbCmYNbEFWrBnitfsYUjMOWuj/6fJpsRLPBt34jJP3SLuYu e5geNW6QIzaSxghUJPkD2GMPZ1dRx+bMHOcrrZPsuimcnUMpmtJWvOWJ393FfD869yn8 1eTwnBtFTq8o4GMz5dU7l5a45hoizq6c3tY/0HuA7Fq7phEt2ZSk4mJswcFBoy77BQpr 7fG2x0oGtvJswpNwxpXLedjpaVmLuY4NGxpvPB+9cPqHn2LomPHlZkZhhB3ywvkrikBh wzRCdlzmFncgk2v/Auayn/BjcWSaWJyFTp+8CixTL0HCslaeg+8ALGlIigmiK3/eNXKj X7ww== X-Received: by 10.140.101.205 with SMTP id u71mr22149181qge.48.1411666184272; Thu, 25 Sep 2014 10:29:44 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <30A8659B-9D25-4A83-BCA6-829A25FCA89D@ucsc.edu> References: <1B204EC0-006C-47D9-80F3-007562954A8D@ucsc.edu> <20140925174131.2575e3af@pwslap01u.europe.root.pri> <30A8659B-9D25-4A83-BCA6-829A25FCA89D@ucsc.edu> From: TJ Luoma Date: Thu, 25 Sep 2014 13:29:01 -0400 Message-ID: Subject: Re: Does the bash bug have a zsh counterpart? To: "William G. Scott" Cc: Peter Stephenson , Zsh-Users List Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable I realize this is pretty nearly off-topic but considering the seriousness of this bug I=E2=80=99ll mention it anyway: If you use OS X there are instructions on building your own version from (patched) source here http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-= avoid-the-remote-exploit-cve-2014-6271-and-cve-2014-7/146851#146851 I have used that to make a (zsh!) shell script here: https://github.com/tjluoma/bash-fix But do note that there is another bash vulnerability (mentioned on the StackExchange site) which has yet to be patched. I=E2=80=99ll be updating m= y GitHub script as new patches become available until Apple releases an official fix. TjL On Thu, Sep 25, 2014 at 12:53 PM, William G. Scott wrote= : > > On Sep 25, 2014, at 9:41 AM, Peter Stephenson = wrote: > >> On Thu, 25 Sep 2014 09:35:01 -0700 >> "William G. Scott" wrote: >>> Does any version of zsh have the same issue as bash, reported eg at >>> >>> >> >> No, search the zsh-workers archive at www.zsh.org for the last day or >> so. >> >>> I was thinking of temporarily replacing sh and bash on OS X with zsh >>> until a security fix is offered. >> >> If so, make sure you alias it to sh or otherwise cause it to come up in >> POSIX mode. >> >> Dash might be a better bet as it's more widely used for such things. >> >> pws > > Thanks. I decided to try living life on the edge, backed up the old vers= ions of sh and bash, and made hard links to the system zsh. (About 10 year= s ago I found a hard link to a then nonexistent ksh behaved properly wherea= s a symbolic link for whatever reason didn=E2=80=99t). I=E2=80=99ve done t= his on 10.10b and 10.9 and rebooted and things appear to be working without= issue. So far. (At the very least, it might be entertaining to see where = this might go wrong.)