From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 20013 invoked by alias); 24 Sep 2014 15:01:26 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: X-Seq: 33232 Received: (qmail 17556 invoked from network); 24 Sep 2014 15:01:23 -0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on f.primenet.com.au X-Spam-Level: X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_HI, SPF_HELO_PASS autolearn=ham version=3.3.2 X-AuditID: cbfec7f5-b7f776d000003e54-0a-5422dcc06424 Date: Wed, 24 Sep 2014 16:01:19 +0100 From: Peter Stephenson To: Frank Terbeck , Zsh Hackers' List Subject: Re: zsh seems to be vulnerable to CVE-2014-6271: remote code execution through bash Message-id: <20140924160119.313cbdcd@pwslap01u.europe.root.pri> In-reply-to: <87fvfhvzl9.fsf@ft.bewatermyfriend.org> References: <87fvfhvzl9.fsf@ft.bewatermyfriend.org> Organization: Samsung Cambridge Solution Centre X-Mailer: Claws Mail 3.7.9 (GTK+ 2.22.0; i386-redhat-linux-gnu) MIME-version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprGLMWRmVeSWpSXmKPExsVy+t/xa7oH7iiFGExaJW5xeFMzk8XB5odM DkwebzavYPdYdfADUwBTFJdNSmpOZllqkb5dAlfG758rWAqamCsuLPvI2sC4lamLkZNDQsBE 4s3bSawQtpjEhXvr2boYuTiEBJYyStz7fJINJCEk0M8k0dMbDWKzCKhKvPzYywhiswkYSkzd NBvMFhEIlbh35xJYvbBAnMT9l4/YQWxeAXuJ1T8fsoDYnEDLNp5sYoWYWSOxa+9usBp+AX2J q38/QR1kLzHzyhlGiF5BiR+T74H1MgtoSWzeBtHLLCAvsXnNW+YJjAKzkJTNQlI2C0nZAkbm VYyiqaXJBcVJ6blGesWJucWleel6yfm5mxghYfl1B+PSY1aHGAU4GJV4eCeKK4UIsSaWFVfm HmKU4GBWEuE9cgMoxJuSWFmVWpQfX1Sak1p8iJGJg1OqgfEk+4/y/OWPrme+c3h2e3nk0ZK7 zD+klP+uaNtqo8RlxC8oK3tTVpfNa8272O2d3MVTxaf21mxRnnNJqkmMLfP0+T8W16cJ361W y7ff3vpoSuq+ktqLdw2aIzelGdbZquerxLjYpi7e3seYdXXZWrbfj802zSooPLxl7S5eXtkD Jwx6F/K2OSuxFGckGmoxFxUnAgB/OURSKQIAAA== On Wed, 24 Sep 2014 16:54:10 +0200 Frank Terbeck wrote: > Bash has this weird feature, where you can "export functions". I suspect > that's what's happening here. Zsh doesn't have this feature. Thankfully. I was going to suggest the same. Can anyone less lazy / busy [pick whatever you think] than me confirm for sure? Be nice to know. Cheers pws