Does the bash bug have a zsh counterpart?

Does the bash bug have a zsh counterpart?

[William G. Scott]

Hi folks:

Does any version of zsh have the same issue as bash, reported eg at

<http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/>


The test listed toward the end of the article doesn’t indicate that it does (substituting zsh for bash), but I just wanted to ask.

I was thinking of temporarily replacing sh and bash on OS X with zsh until a security fix is offered.

Many thanks.


Bill

Re: Does the bash bug have a zsh counterpart?

[Peter Stephenson]

On Thu, 25 Sep 2014 09:35:01 -0700
"William G. Scott" <wgscott@ucsc.edu> wrote:
> Does any version of zsh have the same issue as bash, reported eg at
> 
> <http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/>

No, search the zsh-workers archive at www.zsh.org for the last day or
so.

> I was thinking of temporarily replacing sh and bash on OS X with zsh
> until a security fix is offered.

If so, make sure you alias it to sh or otherwise cause it to come up in
POSIX mode.

Dash might be a better bet as it's more widely used for such things.

pws

Re: Does the bash bug have a zsh counterpart?

[Jérémie Roquet]

Hi,

2014-09-25 18:35 GMT+02:00 William G. Scott <wgscott@ucsc.edu>:
> Does any version of zsh have the same issue as bash, reported eg at
>
> <http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/>

None that we're aware of.

See threads :
  http://www.zsh.org/mla/workers/2014/msg01016.html
  http://www.zsh.org/mla/workers/2014/msg01033.html

Best regards,

-- 
Jérémie

Re: Does the bash bug have a zsh counterpart?

[shawn wilson]

Maybe not?

I quickly took this:
https://www.reddit.com/r/netsec/comments/2hbxtc/cve20146271_remote_code_execution_through_bash/ckro7be

And changed out the shell. But I didn't look too hard.

 % rm -f echo && env -i  X='() { (a)=>\' zsh -c 'echo date'; cat echo

Downloads/temp swlap1
env: zsh: No such file or directory
cat: echo: No such file or directory

On Thu, Sep 25, 2014 at 12:35 PM, William G. Scott <wgscott@ucsc.edu> wrote:
> Hi folks:
>
> Does any version of zsh have the same issue as bash, reported eg at
>
> <http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/>
>
>
> The test listed toward the end of the article doesn’t indicate that it does (substituting zsh for bash), but I just wanted to ask.
>
> I was thinking of temporarily replacing sh and bash on OS X with zsh until a security fix is offered.
>
> Many thanks.
>
>
> Bill
>
>
>

Re: Does the bash bug have a zsh counterpart?

[shawn wilson]

On Thu, Sep 25, 2014 at 12:41 PM, Peter Stephenson
<p.stephenson@samsung.com> wrote:
> On Thu, 25 Sep 2014 09:35:01 -0700
> "William G. Scott" <wgscott@ucsc.edu> wrote:
>> Does any version of zsh have the same issue as bash, reported eg at
>>
>> <http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/>
>
> No, search the zsh-workers archive at www.zsh.org for the last day or
> so.
>
>> I was thinking of temporarily replacing sh and bash on OS X with zsh
>> until a security fix is offered.
>
> If so, make sure you alias it to sh or otherwise cause it to come up in
> POSIX mode.
>
> Dash might be a better bet as it's more widely used for such things.
>

I wouldn't recommend dash as a solution - there might be other hidden
goodies there - see the recent vmware workstation suid issue caused by
dash thinking they were smarter.

Re: Does the bash bug have a zsh counterpart?

[William G. Scott]

On Sep 25, 2014, at 9:41 AM, Peter Stephenson <p.stephenson@samsung.com> wrote:

> On Thu, 25 Sep 2014 09:35:01 -0700
> "William G. Scott" <wgscott@ucsc.edu> wrote:
>> Does any version of zsh have the same issue as bash, reported eg at
>> 
>> <http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/>
> 
> No, search the zsh-workers archive at www.zsh.org for the last day or
> so.
> 
>> I was thinking of temporarily replacing sh and bash on OS X with zsh
>> until a security fix is offered.
> 
> If so, make sure you alias it to sh or otherwise cause it to come up in
> POSIX mode.
> 
> Dash might be a better bet as it's more widely used for such things.
> 
> pws

Thanks.  I decided to try living life on the edge, backed up the old versions of sh and bash, and made hard links to the system zsh.  (About 10 years ago I found a hard link to a then nonexistent ksh behaved properly whereas a symbolic link for whatever reason didn’t).  I’ve done this on 10.10b and 10.9 and rebooted and things appear to be working without issue.  So far. (At the very least, it might be entertaining to see where this might go wrong.)

Re: Does the bash bug have a zsh counterpart?

[TJ Luoma]

I realize this is pretty nearly off-topic but considering the
seriousness of this bug I’ll mention it anyway:

If you use OS X there are instructions on building your own version
from (patched) source here

http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-the-remote-exploit-cve-2014-6271-and-cve-2014-7/146851#146851

I have used that to make a (zsh!) shell script here:

https://github.com/tjluoma/bash-fix

But do note that there is another bash vulnerability (mentioned on the
StackExchange site) which has yet to be patched. I’ll be updating my
GitHub script as new patches become available until Apple releases an
official fix.

TjL






On Thu, Sep 25, 2014 at 12:53 PM, William G. Scott <wgscott@ucsc.edu> wrote:
>
> On Sep 25, 2014, at 9:41 AM, Peter Stephenson <p.stephenson@samsung.com> wrote:
>
>> On Thu, 25 Sep 2014 09:35:01 -0700
>> "William G. Scott" <wgscott@ucsc.edu> wrote:
>>> Does any version of zsh have the same issue as bash, reported eg at
>>>
>>> <http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/>
>>
>> No, search the zsh-workers archive at www.zsh.org for the last day or
>> so.
>>
>>> I was thinking of temporarily replacing sh and bash on OS X with zsh
>>> until a security fix is offered.
>>
>> If so, make sure you alias it to sh or otherwise cause it to come up in
>> POSIX mode.
>>
>> Dash might be a better bet as it's more widely used for such things.
>>
>> pws
>
> Thanks.  I decided to try living life on the edge, backed up the old versions of sh and bash, and made hard links to the system zsh.  (About 10 years ago I found a hard link to a then nonexistent ksh behaved properly whereas a symbolic link for whatever reason didn’t).  I’ve done this on 10.10b and 10.9 and rebooted and things appear to be working without issue.  So far. (At the very least, it might be entertaining to see where this might go wrong.)

Hardlinks (was: Re: Does the bash bug have a zsh counterpart?)

[Dirk Heinrichs]

[-- Attachment #1: Type: text/plain, Size: 1606 bytes --]

Am 25.09.2014 um 18:53 schrieb William G. Scott:

> (About 10 years ago I found a hard link to a then nonexistent ksh behaved properly whereas a symbolic link for whatever reason didn’t).

A hardlink is nothing more than another name for the same file. When ksh
was deleted, the system has just deleted that one NAME of the file, but
it stayed there under the other name (sh). That's the reason why you
can't create hardlinks across filesystem borders. BTW: You can identify
hardlinked files by looking at

 1. The link count:
    % touch foo
    % ln foo bar
    % ll foo bar
    -rw-r--r-- 2 someuser users 0 Sep 26 07:36 bar
    -rw-r--r-- 2 someuser users 0 Sep 26 07:36 foo
    % ln bar baz
    % ll foo bar baz
    -rw-r--r-- 3 someuser users 0 Sep 26 07:36 bar
    -rw-r--r-- 3 someuser users 0 Sep 26 07:36 baz
    -rw-r--r-- 3 someuser users 0 Sep 26 07:36 foo
 2. The inode number
    % ll -i foo bar baz
    22 -rw-r--r-- 3 someuser users 0 Sep 26 07:36 bar
    22 -rw-r--r-- 3 someuser users 0 Sep 26 07:36 baz
    22 -rw-r--r-- 3 someuser users 0 Sep 26 07:36 foo

The link count tells you whether a file has multiple names, while the
inode number tells you which names a file has.

A symlink, OTOH, is just a NEW (special) file, pointing to another file
which may exist or not.

HTH...

    Dirk
-- 

*Dirk Heinrichs*, Senior Systems Engineer, Engineering Solutions
*Recommind GmbH*, Von-Liebig-Straße 1, 53359 Rheinbach
*Tel*: +49 2226 1596666 (Ansage) 1149
*Email*: dhs@recommind.com <mailto:dhs@recommind.com>
*Skype*: dirk.heinrichs.recommind
www.recommind.com <http://www.recommind.com>

[-- Attachment #2.1: Type: text/html, Size: 2447 bytes --]

[-- Attachment #2.2: Logo.gif --]
[-- Type: image/gif, Size: 1537 bytes --]

Re: Hardlinks (was: Re: Does the bash bug have a zsh counterpart?)

[William G. Scott]

On Sep 25, 2014, at 10:46 PM, Dirk Heinrichs <dhs@recommind.com> wrote:

> Am 25.09.2014 um 18:53 schrieb William G. Scott:
> 
>> (About 10 years ago I found a hard link to a then nonexistent ksh behaved properly whereas a symbolic link for whatever reason didn’t).
> 
> A hardlink is nothing more than another name for the same file. When ksh was deleted, …

ksh wasn’t deleted.  This was before Apple provided ksh, and I needed ksh to run some ancient shell-scripts.

I found for some reason if I created a symbolic link from zsh to (the previously non-existent) ksh, the behavior differed from that resulting from hard linking or copying the binary to ksh.

This was at least 10 years ago, fwiw.


William G. Scott

http://scottlab.ucsc.edu/~wgscott