From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zsh-workers-return-44304-ml=inbox.vuxu.org@zsh.org>
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=ham
	autolearn_force=no version=3.4.2
Received: from primenet.com.au (ns1.primenet.com.au [203.24.36.2])
	by inbox.vuxu.org (OpenSMTPD) with ESMTP id 550bb814
	for <ml@inbox.vuxu.org>;
	Wed, 15 May 2019 10:49:22 +0000 (UTC)
Received: (qmail 15628 invoked by alias); 15 May 2019 10:49:05 -0000
Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm
Precedence: bulk
X-No-Archive: yes
List-Id: Zsh Workers List <zsh-workers.zsh.org>
List-Post: <mailto:zsh-workers@zsh.org>
List-Help: <mailto:zsh-workers-help@zsh.org>
List-Unsubscribe: <mailto:zsh-workers-unsubscribe@zsh.org>
X-Seq: 44304
Received: (qmail 13021 invoked by uid 1010); 15 May 2019 10:49:05 -0000
X-Qmail-Scanner-Diagnostics: from out1-smtp.messagingengine.com by f.primenet.com.au (envelope-from <d.s@daniel.shahaf.name>, uid 7791) with qmail-scanner-2.11 
 (clamdscan: 0.101.2/25447. spamassassin: 3.4.2.  
 Clear:RC:0(66.111.4.25):SA:0(-2.6/5.0):. 
 Processed in 4.687425 secs); 15 May 2019 10:49:05 -0000
X-Envelope-From: d.s@daniel.shahaf.name
X-Qmail-Scanner-Mime-Attachments: |
X-Qmail-Scanner-Zip-Files: |
Received-SPF: none (ns1.primenet.com.au: domain at daniel.shahaf.name does not designate permitted sender hosts)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	daniel.shahaf.name; h=mime-version:message-id:in-reply-to
	:references:date:from:to:cc:subject:content-type; s=fm3; bh=8q9/
	KMy42pbVVfvXbr7mhTjVZ0ITupw0n1igHBBEp68=; b=epgSWjuC1ACaN6kISug1
	EzWxOYgCoF6Q6JWdg8eIH02yKUeUfwMlxZWh9bSuAyzZQLBMygtX8zWeL8nhi4gQ
	s0sXNFgFUIqm7RJJB3LMZs4uu2M+NSXoLFqnmZ9tfKGjCvX+WCREy/SPg3lPcSGf
	y8zExMXB6t5HsmHMW4t0cUZT4prgiAOwWEU/rNLr0HEGkrweomxMtKtpPn2fX8tM
	Et+BQE4XUv4xuSCqfV8E/zQDBJLvkk50+g515r6wqyQ6NsX33KVuvR+D5zAbH3XV
	maMcsZRrMhxgC++jK6g+CxjWTdYyADWskisevmU6oALdZRZEfDJVRgcAEnhpqZz4
	uQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:content-type:date:from:in-reply-to
	:message-id:mime-version:references:subject:to:x-me-proxy
	:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=8q9/KM
	y42pbVVfvXbr7mhTjVZ0ITupw0n1igHBBEp68=; b=qZ+qEm4F89iiEPgjcdzMOB
	Dh61x4eHC6z+TNnytkwknBVoB7LNXf68r+yWb1RZ2wM+56h4Pml8WMpa9AgNRY5t
	sMWk3szJRN4qUEeV0NaksUhG1FhfGMt/6OHzeGkkXZHayofbMrK4dwkX25Yp0jZX
	24j8JVg9gzBnVtuYNU3mm8d1Rdsi5bvJZ/1KfFKZmSWopIdi6971ZufnHrKeB8oP
	uMTA5bhKgxrIfGqyYMuCSQ+6qkOdjhLfJchfURWEA8f7Fpt3/dKjQian84r9ANS2
	N3KilUOjYbf7AHgYafMxI2caoJmVEnr7RXQJW2eJE5kbWNFryQBgm+B8uzplXTFg
	==
X-ME-Sender: <xms:d-7bXG5wTje_jbg6_EY8HkQGg8qdksa51R2WCUlKHC6UO3Ub6Whe6A>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduuddrleekgdefgecutefuodetggdotefrodftvf
    curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu
    uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesthdtre
    dtreertdenucfhrhhomhepfdffrghnihgvlhcuufhhrghhrghffdcuoegurdhssegurghn
    ihgvlhdrshhhrghhrghfrdhnrghmvgeqnecurfgrrhgrmhepmhgrihhlfhhrohhmpegurd
    hssegurghnihgvlhdrshhhrghhrghfrdhnrghmvgenucevlhhushhtvghrufhiiigvpedt
X-ME-Proxy: <xmx:d-7bXCjTmKoV4EIq7wHYVNNVNBpbyjTFIoBvX6xngWXgeMS16yvUcQ>
    <xmx:d-7bXKad_IJdbt0EPCEaM_DVWPKGpJ3eK0rUW3Emc43ja07ZxToSsA>
    <xmx:d-7bXGGRqXbqISiAnWOENog0-OZ0h2p3OrWHKR0Ht55w-tOthCR3aA>
    <xmx:eO7bXGyvff8K87lSPQRFM0p_jyN4VgU7S3q3auyn9yMil5mLYOLVuA>
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.6-541-gda5ca9a-fmstable-20190515v2
Mime-Version: 1.0
Message-Id: <064219c7-0927-433e-96fc-1e210c7fa276@www.fastmail.com>
In-Reply-To: 
 <CAH+w=7bLsrFOcsPX491x_jNQmorvG3sYT2WaGtR0RciTTxB6pw@mail.gmail.com>
References: 
 <CAAOKOsfSAR5aRBvEcyQKRzDCvOgRJdyRvVb9AXMq6d22RaUozQ@mail.gmail.com>
 <CAH+w=7YSL2eLRWeXaZj09er-v4noxuALxAum5Zj4awLP=7mQRQ@mail.gmail.com>
 <20190512162149.3fsqupqftmwxrbvd@chaz.gmail.com>
 <CAAOKOsfq-BDfbD1MD01f-soJdhK=rbvr-1kHubCs9uT4GNhG0g@mail.gmail.com>
 <20190514181026.u4myftmekdtqkhme@chaz.gmail.com>
 <54c02a72-cbcf-4036-9a72-7df24c0041d2@www.fastmail.com>
 <CAH+w=7bLsrFOcsPX491x_jNQmorvG3sYT2WaGtR0RciTTxB6pw@mail.gmail.com>
Date: Wed, 15 May 2019 10:48:23 +0000
From: "Daniel Shahaf" <d.s@daniel.shahaf.name>
To: zsh-workers@zsh.org
Cc: "David Wells" <bughunters@tenable.com>
Subject: Re: Zsh - Multiple DoS Vulnerabilities
Content-Type: text/plain

Bart Schaefer wrote on Tue, 14 May 2019 22:26 +00:00:
> On Tue, May 14, 2019 at 2:39 PM Daniel Shahaf <d.s@daniel.shahaf.name> wrote:
> >
> > I've been trying to come up with counterexamples.  What if somebody
> > installed a /etc/zshenv that does, say, 'disable zmodload enable'?
> 
> You can bypass /etc/zshenv by, for example, invoking zsh as "sh" and
> then running "emulate -R" and/or otherwise futzing with setopts.

I don't think there's an easy solution here, since sourcing /etc/zshenv
in mid-session could be a can of worms, too.

> So either THAT is a security flaw, or your example isn't one either.

I suppose my example was a security flaw _in the sysadmin's setup_.  If someone
wants to make the case that it's a bug in zsh, I'm all ears.

Cheers,

Daniel