From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zsh-workers-return-33243-mason-zsh=primenet.com.au@zsh.org>
Received: (qmail 18295 invoked by alias); 25 Sep 2014 13:21:49 -0000
Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm
Precedence: bulk
X-No-Archive: yes
List-Id: Zsh Workers List <zsh-workers.zsh.org>
List-Post: <mailto:zsh-workers@zsh.org>
List-Help: <mailto:zsh-workers-help@zsh.org>
X-Seq: 33243
Received: (qmail 387 invoked from network); 25 Sep 2014 13:21:44 -0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on f.primenet.com.au
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_HI,
	SPF_HELO_PASS autolearn=ham version=3.3.2
X-AuditID: cbfec7f5-b7f776d000003e54-dd-542414861ae4
Date: Thu, 25 Sep 2014 14:11:33 +0100
From: Peter Stephenson <p.stephenson@samsung.com>
To: Zsh Hackers' List <zsh-workers@zsh.org>
Subject: Re: zsh seems to be vulnerable to CVE-2014-6271: remote code execution
 through bash
Message-id: <20140925141133.49a7127b@pwslap01u.europe.root.pri>
In-reply-to:
 <CAJ1KOAjyBjbywavXwa+ejjQD1YjK8eCSGaESYhJxCb1e3KPjFg@mail.gmail.com>
References: <CAJ1KOAjyBjbywavXwa+ejjQD1YjK8eCSGaESYhJxCb1e3KPjFg@mail.gmail.com>
Organization: Samsung Cambridge Solution Centre
X-Mailer: Claws Mail 3.7.9 (GTK+ 2.22.0; i386-redhat-linux-gnu)
MIME-version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7bit
X-Brightmail-Tracker:
 H4sIAAAAAAAAA+NgFuphluLIzCtJLcpLzFFi42I5/e/4Vd02EZUQg7cLOCwONj9kcmD0WHXw
	A1MAYxSXTUpqTmZZapG+XQJXxpvtU5gLdjBXLLq9kKWB8TlTFyMnh4SAicT8j91QtpjEhXvr
	2boYuTiEBJYySjxruMkC4Sxnkuj6c4gdpIpFQFXiXeNUFhCbTcBQYuqm2YxdjBwcIgLaEu0f
	xUDCwgJxEvdfPgIr5xWwl5j8vYMZxOYUCJY4vWwmK4gtJBAg0XnnF1gNv4C+xNW/n6COsJeY
	eeUMI0SvoMSPyffAVjELaEls3tbECmHLS2xe85Z5AqPALCRls5CUzUJStoCReRWjaGppckFx
	UnqukV5xYm5xaV66XnJ+7iZGSAh+3cG49JjVIUYBDkYlHl4Pf+UQIdbEsuLK3EOMEhzMSiK8
	YvwqIUK8KYmVValF+fFFpTmpxYcYmTg4pRoYdY9cN4+1+HWb7U7B0zyxTS9XRzFpmz2ME2Ar
	npz5KTvpn8uZb37HJ5fOks7h6N9rEdMzx8DFlyllfdvlx5kqvQJdZ/Wf7auSjdTvUeh9vmym
	6uOOvj3O7w82xa7/rH7j7qKetxYWTeGMzZ7zj/+wWrx0reD9sELV9XH6sUKMN6MPan9XeWWl
	xFKckWioxVxUnAgAajU1ER8CAAA=

If you want to follow up, here's a news story describing the problem and
implications:

http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/

There's nothing in zsh that corresponds to this particular problem; I
can't think of an easy way to get the environment to leak into code in
zsh without the code doing it deliberately but feel free to have a
think --- some of the special variable handling is quite complicated.

pws