zsh 5.0.7

zsh 5.0.7

[Peter Stephenson]

I'd like to release 5.0.7 imminently to get the environment fix for
integer evaluation out.  There's some other interesting stuff, too.

Anything else needs doing right now?

pws

Re: zsh 5.0.7

[Bart Schaefer]

[-- Attachment #1: Type: text/plain, Size: 156 bytes --]

On Oct 1, 2014 12:38 PM, "Peter Stephenson" <p.w.stephenson@ntlworld.com>
wrote:
>
> I'd like to release 5.0.7 imminently

I was hoping you would say that.

Re: zsh 5.0.7

[Axel Beckert]

Hi,

On Wed, Oct 01, 2014 at 08:38:47PM +0100, Peter Stephenson wrote:
> I'd like to release 5.0.7 imminently to get the environment fix for
> integer evaluation out.  There's some other interesting stuff, too.

Indeed.

> Anything else needs doing right now?

Hopefully not. ;-)

FYI: We (the Debian packagers of zsh) would be happy to see the
release of 5.0.7 rather soon, too. The freeze for the next Debian
stable is scheduled for the beginning of November and we'd need to get
5.0.7 uploaded latest on 24th of October to get it in. Preferably much
sooner, though.

		Kind regards, Axel
-- 
/~\  Plain Text Ribbon Campaign                   | Axel Beckert
\ /  Say No to HTML in E-Mail and News            | abe@deuxchevaux.org  (Mail)
 X   See http://www.nonhtmlmail.org/campaign.html | abe@noone.org (Mail+Jabber)
/ \  I love long mails: http://email.is-not-s.ms/ | http://noone.org/abe/ (Web)

Re: zsh 5.0.7

[Peter Stephenson]

Source distribution documentation.  Does this sound right?

diff --git a/Etc/FAQ.yo b/Etc/FAQ.yo
index ed703c6..08ea979 100644
--- a/Etc/FAQ.yo
+++ b/Etc/FAQ.yo
@@ -302,7 +302,7 @@ sect(On what machines will it run?)
 
 sect(What's the latest version?)
 
-  Zsh 5.0.6 is the latest production version.  For details of all the
+  Zsh 5.0.7 is the latest production version.  For details of all the
   changes, see the NEWS file in the source distribution.
 
   A beta of the next version is sometimes available.  Development of zsh is
diff --git a/README b/README
index 198e4c8..2faa135 100644
--- a/README
+++ b/README
@@ -5,8 +5,14 @@ THE Z SHELL (ZSH)
 Version
 -------
 
-This is version 5.0.6 of the shell.  This is a stable release.
-There are minor new features as well as bug fixes since 5.0.5.
+This is version 5.0.7 of the shell.  This is a stable release.
+There are minor new features as well as bug fixes since 5.0.6.
+
+Note in particular there is a security fix to disallow evaluation of the
+initial values of integer variables imported from the environment (they
+are instead treated as literal numbers).  Although no major exploits are
+currently known with this issue it is recommended to upgrade as soon as
+possible.
 
 Installing Zsh
 --------------

pws

Re: zsh 5.0.7

[Bart Schaefer]

On Oct 2,  4:58pm, Peter Stephenson wrote:
}
} Source distribution documentation.  Does this sound right?

I'd leave out the word "major" -- we don't know of any exploits, do we?

Otherwise fine.

Re: zsh 5.0.7

[Peter Stephenson]

On Thu, 02 Oct 2014 09:16:56 -0700
Bart Schaefer <schaefer@brasslantern.com> wrote:
> On Oct 2,  4:58pm, Peter Stephenson wrote:
> }
> } Source distribution documentation.  Does this sound right?
> 
> I'd leave out the word "major" -- we don't know of any exploits, do we?

Nothing that would screw you up any more than getting anything else from
the environment that you didn't sanitise, I don't think.  So it can
leave you more open than to the effects of incautious programming.  Not
sure if that counts.

pws

Re: zsh 5.0.7

[Phil Pennock]

On 2014-10-02 at 17:25 +0100, Peter Stephenson wrote:
> On Thu, 02 Oct 2014 09:16:56 -0700
> Bart Schaefer <schaefer@brasslantern.com> wrote:
> > On Oct 2,  4:58pm, Peter Stephenson wrote:
> > }
> > } Source distribution documentation.  Does this sound right?
> > 
> > I'd leave out the word "major" -- we don't know of any exploits, do we?
> 
> Nothing that would screw you up any more than getting anything else from
> the environment that you didn't sanitise, I don't think.  So it can
> leave you more open than to the effects of incautious programming.  Not
> sure if that counts.

The oss-security mailing-list folk seem to have settled on:

 * Arbitrary untrusted input in environ is okay and expected, as long as
   the attacker can't control the name of the variable;
 * If the attacker can control the name, then it's the responsibility of
   the software at the trust boundary (network server; setuid program)
   to filter (to protect against `LD_PRELOAD` and friends) to a
   whitelist or sane naming pattern (`HTTP_*`);
 * Bad actions taken on variables with arbitrary names is a software bug
   in whatever is interpreting the environ, whether a shell or anything
   else;
 * Bad actions on specific variables (`LD_*`) is expected and is why the
   trust boundary has responsibilities.

On this basis, the zsh behaviour for three specific variables is
unexpected and unfortunate, but not a CVE-worthy security bug.  But if
folk want to play safe to help vendors track disabling this unfortunate
behaviour, we could always ask for a CVE anyway, even though it
shouldn't be exploitable in any situation in which you're not already
thoroughly screwed.

-Phil