* Re: zsh 5.0.7 released
[not found] ` <CAH_OBieFY24--_Ka637pM0g-iKEKLrnz4zXLcWKj9_mx+DKn=w@mail.gmail.com>
@ 2014-10-09 20:48 ` Peter Stephenson
2014-10-09 22:41 ` shawn wilson
0 siblings, 1 reply; 5+ messages in thread
From: Peter Stephenson @ 2014-10-09 20:48 UTC (permalink / raw)
To: shawn wilson, Zsh Hackers' List
Oct 2014 09:55:50 -0400
shawn wilson <ag4ve.us@gmail.com> wrote:
> On Oct 8, 2014 9:56 PM, "Peter Stephenson" <p.w.stephenson@ntlworld.com>
> wrote:
> >
> > Version 5.0.7 of zsh is released. You can get it from
> > http://www.zsh.org/pub and mirrors (see below). This is a stable
> > release. There are minor new features as well as bug fixes since 5.0.6.
> >
> > Note in particular there is a security fix to disallow evaluation of the
> > initial values of integer variables imported from the environment (they
> > are instead treated as literal numbers). That could allow local
> > privilege escalation, under some specific and atypical conditions where
> > zsh is being invoked in privilege elevation contexts when the
> > environment has not been properly sanitized, such as when zsh is invoked
> > by sudo on systems where "env_reset" has been disabled.
> >
>
> Was this security issue in SSH discussed on the list somewhere (I can't
> seem to find other mention of it outside the readme - not even direct
> mention in changelog or git log)...?
I don't know of an ssh issue, but the sudo issue was discussed offline.
The original point about sanitising integer imports, however, was discussed
here.
pws
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: zsh 5.0.7 released
2014-10-09 20:48 ` zsh 5.0.7 released Peter Stephenson
@ 2014-10-09 22:41 ` shawn wilson
2014-10-10 1:54 ` Bart Schaefer
0 siblings, 1 reply; 5+ messages in thread
From: shawn wilson @ 2014-10-09 22:41 UTC (permalink / raw)
To: Peter Stephenson; +Cc: Zsh Hackers' List
[-- Attachment #1: Type: text/plain, Size: 1470 bytes --]
Yay cellphone auto correct
On Oct 9, 2014 4:48 PM, "Peter Stephenson" <p.w.stephenson@ntlworld.com>
wrote:
>
> Oct 2014 09:55:50 -0400
> shawn wilson <ag4ve.us@gmail.com> wrote:
> > On Oct 8, 2014 9:56 PM, "Peter Stephenson" <p.w.stephenson@ntlworld.com>
> > wrote:
> > >
> > > Version 5.0.7 of zsh is released. You can get it from
> > > http://www.zsh.org/pub and mirrors (see below). This is a stable
> > > release. There are minor new features as well as bug fixes since
5.0.6.
> > >
> > > Note in particular there is a security fix to disallow evaluation of
the
> > > initial values of integer variables imported from the environment
(they
> > > are instead treated as literal numbers). That could allow local
> > > privilege escalation, under some specific and atypical conditions
where
> > > zsh is being invoked in privilege elevation contexts when the
> > > environment has not been properly sanitized, such as when zsh is
invoked
> > > by sudo on systems where "env_reset" has been disabled.
> > >
> >
> > Was this security issue in SSH discussed on the list somewhere (I can't
s/SSH/bash/
> > seem to find other mention of it outside the readme - not even direct
> > mention in changelog or git log)...?
>
And I was referring to the zsh readme, changelog, git log.
> I don't know of an ssh issue, but the sudo issue was discussed offline.
>
> The original point about sanitising integer imports, however, was
discussed
> here.
Huh, I'll look again.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: zsh 5.0.7 released
2014-10-09 22:41 ` shawn wilson
@ 2014-10-10 1:54 ` Bart Schaefer
2014-10-11 22:53 ` shawn wilson
0 siblings, 1 reply; 5+ messages in thread
From: Bart Schaefer @ 2014-10-10 1:54 UTC (permalink / raw)
To: Zsh Hackers' List; +Cc: shawn wilson
On Oct 9, 6:41pm, shawn wilson wrote:
}
} > > > privilege escalation, under some specific and atypical conditions
} > > > where zsh is being invoked in privilege elevation contexts when the
} > > > environment has not been properly sanitized, such as when zsh is
} > > > invoked by sudo on systems where "env_reset" has been disabled.
} > >
} > > Was this security issue in SSH discussed on the list somewhere (I can't
}
} s/SSH/bash/
Did you mean zsh instead of bash?
} > > seem to find other mention of it outside the readme - not even direct
} > > mention in changelog or git log)...?
}
} And I was referring to the zsh readme, changelog, git log.
The paragraph about "privilege escalation" quoted above appears at the
top of the README file.
Change log entry is this:
2014-09-29 Peter Stephenson <p.stephenson@samsung.com>
* users/19183: Src/hist.c: handle unlikely error case with
fdopen() better.
* 33276: Src/params.c, Src/zsh.h: safer import of numerical
variables from environment.
The git log is very brief and is the same as the 33276 ChangeLog.
} > I don't know of an ssh issue, but the sudo issue was discussed offline.
} >
} > The original point about sanitising integer imports, however, was
} discussed
} > here.
}
} Huh, I'll look again.
The first mention of the integer import problem on the list is here:
http://www.zsh.org/mla/workers/2014/msg01041.html
--
Barton E. Schaefer
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: zsh 5.0.7 released
2014-10-10 1:54 ` Bart Schaefer
@ 2014-10-11 22:53 ` shawn wilson
0 siblings, 0 replies; 5+ messages in thread
From: shawn wilson @ 2014-10-11 22:53 UTC (permalink / raw)
To: Bart Schaefer; +Cc: Zsh Hackers' List
[-- Attachment #1: Type: text/plain, Size: 1617 bytes --]
Ty
On Oct 9, 2014 9:53 PM, "Bart Schaefer" <schaefer@brasslantern.com> wrote:
> On Oct 9, 6:41pm, shawn wilson wrote:
> }
> } > > > privilege escalation, under some specific and atypical conditions
> } > > > where zsh is being invoked in privilege elevation contexts when the
> } > > > environment has not been properly sanitized, such as when zsh is
> } > > > invoked by sudo on systems where "env_reset" has been disabled.
> } > >
> } > > Was this security issue in SSH discussed on the list somewhere (I
> can't
> }
> } s/SSH/bash/
>
> Did you mean zsh instead of bash?
>
> } > > seem to find other mention of it outside the readme - not even direct
> } > > mention in changelog or git log)...?
> }
> } And I was referring to the zsh readme, changelog, git log.
>
> The paragraph about "privilege escalation" quoted above appears at the
> top of the README file.
>
> Change log entry is this:
>
> 2014-09-29 Peter Stephenson <p.stephenson@samsung.com>
>
> * users/19183: Src/hist.c: handle unlikely error case with
> fdopen() better.
>
> * 33276: Src/params.c, Src/zsh.h: safer import of numerical
> variables from environment.
>
> The git log is very brief and is the same as the 33276 ChangeLog.
>
>
> } > I don't know of an ssh issue, but the sudo issue was discussed
> offline.
> } >
> } > The original point about sanitising integer imports, however, was
> } discussed
> } > here.
> }
> } Huh, I'll look again.
>
> The first mention of the integer import problem on the list is here:
>
> http://www.zsh.org/mla/workers/2014/msg01041.html
>
> --
> Barton E. Schaefer
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: zsh 5.0.7 released
[not found] <20141008193835.5d66c0ad@pws-pc.ntlworld.com>
[not found] ` <CAH_OBieFY24--_Ka637pM0g-iKEKLrnz4zXLcWKj9_mx+DKn=w@mail.gmail.com>
@ 2014-10-11 0:18 ` Simon Ruderich
1 sibling, 0 replies; 5+ messages in thread
From: Simon Ruderich @ 2014-10-11 0:18 UTC (permalink / raw)
To: zsh-workers
[-- Attachment #1: Type: text/plain, Size: 688 bytes --]
On Wed, Oct 08, 2014 at 07:38:35PM +0100, Peter Stephenson wrote:
> Version 5.0.7 of zsh is released. You can get it from
> http://www.zsh.org/pub and mirrors (see below). This is a stable
> release. There are minor new features as well as bug fixes since 5.0.6.
Hello,
I've updated the website [1] for this release. The commits are in
the public web repository [2] (f4795e, d6e3cb; tag zsh-5.0.7). If
you find any problems/mistakes please tell me.
Regards
Simon
[1]: http://zsh.sourceforge.net/
[2]: http://zsh.git.sourceforge.net/git/gitweb.cgi?p=zsh/web;a=summary
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2014-10-11 22:53 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20141008193835.5d66c0ad@pws-pc.ntlworld.com>
[not found] ` <CAH_OBieFY24--_Ka637pM0g-iKEKLrnz4zXLcWKj9_mx+DKn=w@mail.gmail.com>
2014-10-09 20:48 ` zsh 5.0.7 released Peter Stephenson
2014-10-09 22:41 ` shawn wilson
2014-10-10 1:54 ` Bart Schaefer
2014-10-11 22:53 ` shawn wilson
2014-10-11 0:18 ` Simon Ruderich
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).