From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zsh-workers-return-44300-ml=inbox.vuxu.org@zsh.org>
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=ham
	autolearn_force=no version=3.4.2
Received: from primenet.com.au (ns1.primenet.com.au [203.24.36.2])
	by inbox.vuxu.org (OpenSMTPD) with ESMTP id 9eaed74a
	for <ml@inbox.vuxu.org>;
	Tue, 14 May 2019 21:25:29 +0000 (UTC)
Received: (qmail 17146 invoked by alias); 14 May 2019 21:25:18 -0000
Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm
Precedence: bulk
X-No-Archive: yes
List-Id: Zsh Workers List <zsh-workers.zsh.org>
List-Post: <mailto:zsh-workers@zsh.org>
List-Help: <mailto:zsh-workers-help@zsh.org>
List-Unsubscribe: <mailto:zsh-workers-unsubscribe@zsh.org>
X-Seq: 44300
Received: (qmail 6143 invoked by uid 1010); 14 May 2019 21:25:18 -0000
X-Qmail-Scanner-Diagnostics: from out2-smtp.messagingengine.com by f.primenet.com.au (envelope-from <d.s@daniel.shahaf.name>, uid 7791) with qmail-scanner-2.11 
 (clamdscan: 0.101.2/25447. spamassassin: 3.4.2.  
 Clear:RC:0(66.111.4.26):SA:0(-2.6/5.0):. 
 Processed in 4.197358 secs); 14 May 2019 21:25:18 -0000
X-Envelope-From: d.s@daniel.shahaf.name
X-Qmail-Scanner-Mime-Attachments: |
X-Qmail-Scanner-Zip-Files: |
Received-SPF: none (ns1.primenet.com.au: domain at daniel.shahaf.name does not designate permitted sender hosts)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	daniel.shahaf.name; h=mime-version:message-id:in-reply-to
	:references:date:from:to:cc:subject:content-type; s=fm3; bh=r280
	X7Yo10R19OoF30y2gbyVTdl/GQ9xTyr/4Y/9BlM=; b=TlS1w8wg+7mSPEW5JUpl
	SMYTfLqBc2Dwp3Mttk+ZE8Gqn8uxt233GRIpKHTBH8D73ukenvBoYCS0DuEqo5+E
	tv5ttt7APzRFid45QFZzktoLIR3mHvX2IHrps2X8cXP2jpCnTyLRUzX6rXkq/oNZ
	9vDgTRvUWE8Z5VMZ1frt7igLxMM2LPUh3s0OUh/rZn+lzFe0iTFAXlaNpeb/SwL4
	grEPNpVl5pP99Dk3+2y+k6CxR4aiojkeOQ3l+hBAG9FBckwsIfmQT2cMGn6BQBQv
	p5O6meY37CcMOkLZnUh9ijt9azbbvdMyKntJKTGRN1JSfI+keCwIwQ5qwJMy4osa
	SQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:content-type:date:from:in-reply-to
	:message-id:mime-version:references:subject:to:x-me-proxy
	:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=r280X7
	Yo10R19OoF30y2gbyVTdl/GQ9xTyr/4Y/9BlM=; b=VG7ujpKFmZzeL988KJ25FV
	LuU0opXE/rN3uSUInWa8bNjqxkinf659wpBO3jcLo1+yt0dk4mtGlpEIaFd2kUvP
	QDlSiTyQRCsMulJr5bLeCf2mAoonoztdPSM6aG3qgV6uKLv/5fo9qTbhzAre2FFT
	REdn6Z5lpbFfoAgLY+bPiK7svbHGLVcN6hHhz19NQCtF6uD4J88gcNrhk2zt0AwC
	I4MmclT6f50oVi8L9305z2urO+dFex/RVVWMS/92DdFv9rsKTvAJ3jVoOckCAtS4
	J3uweDdl46uZErWtwX6pKO+Pl0Tc+5dgiEAWJJWuYbDAG7LCltGON5SLxSs+lZgg
	==
X-ME-Sender: <xms:FDLbXJmJJqref7FqtoWc4EBX8nMYc5JAQjc1wy_i4wRKVVobJLgt-g>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduuddrleeigdduiedtucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
    uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsehttd
    ertderredtnecuhfhrohhmpedfffgrnhhivghlucfuhhgrhhgrfhdfuceougdrshesuggr
    nhhivghlrdhshhgrhhgrfhdrnhgrmhgvqeenucfrrghrrghmpehmrghilhhfrhhomhepug
    drshesuggrnhhivghlrdhshhgrhhgrfhdrnhgrmhgvnecuvehluhhsthgvrhfuihiivgep
    td
X-ME-Proxy: <xmx:FDLbXMdn7gzu1l55GwM_U7-yMtHCrH0B7MgIuWmhwNZhecN6lg7aag>
    <xmx:FDLbXNT0m37vo4uCbA9sXbplkULI-voCgHkNAonOuLGU3aPilOA0rg>
    <xmx:FDLbXDt0WiXj0PyAT1l3sNeFFuFZU98qUyeNHwRzIYBOE2Dokt2Xgg>
    <xmx:FTLbXCLmKAf8EMRm0e-49HLdzeVBeAszEuCX98hN4mSh7zfdwTh6dA>
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.6-532-g5582127-fmstable-20190514v6
Mime-Version: 1.0
Message-Id: <0b921306-f67c-4971-b9ea-8657c573c5f1@www.fastmail.com>
In-Reply-To: <20190514181026.u4myftmekdtqkhme@chaz.gmail.com>
References: 
 <CAAOKOsfSAR5aRBvEcyQKRzDCvOgRJdyRvVb9AXMq6d22RaUozQ@mail.gmail.com>
 <CAH+w=7YSL2eLRWeXaZj09er-v4noxuALxAum5Zj4awLP=7mQRQ@mail.gmail.com>
 <20190512162149.3fsqupqftmwxrbvd@chaz.gmail.com>
 <CAAOKOsfq-BDfbD1MD01f-soJdhK=rbvr-1kHubCs9uT4GNhG0g@mail.gmail.com>
 <20190514181026.u4myftmekdtqkhme@chaz.gmail.com>
Date: Tue, 14 May 2019 21:24:22 +0000
From: "Daniel Shahaf" <d.s@daniel.shahaf.name>
To: "David Wells" <bughunters@tenable.com>
Cc: zsh-workers@zsh.org
Subject: Re: Zsh - Multiple DoS Vulnerabilities
Content-Type: text/plain

Stephane Chazelas wrote on Tue, 14 May 2019 18:11 +00:00:
> IMO, from a security standpoint, it's not very useful to fuzz
> "code" input provided to zsh, as anyway any "code" allows zsh to
> run any arbitrary command (except for the restricted mode). In
> other words, the "code" is generally not the attacker supplied
> data.

Sounds right.  There might be some corner case here 

> You could fuzz environment variables (the ones zsh cares
> about) or other attacker-controlled data fed to zsh scripts like
> "limits" instead.