From: Phil Pennock <zsh-workers+phil.pennock@spodhuis.org>
To: Peter Stephenson <p.stephenson@samsung.com>
Cc: Zsh Hackers' List <zsh-workers@zsh.org>
Subject: Re: zsh 5.0.7
Date: Thu, 2 Oct 2014 17:43:42 +0000 [thread overview]
Message-ID: <20141002174342.GA61223@tower.spodhuis.org> (raw)
In-Reply-To: <20141002172554.1eff5ce9@pwslap01u.europe.root.pri>
On 2014-10-02 at 17:25 +0100, Peter Stephenson wrote:
> On Thu, 02 Oct 2014 09:16:56 -0700
> Bart Schaefer <schaefer@brasslantern.com> wrote:
> > On Oct 2, 4:58pm, Peter Stephenson wrote:
> > }
> > } Source distribution documentation. Does this sound right?
> >
> > I'd leave out the word "major" -- we don't know of any exploits, do we?
>
> Nothing that would screw you up any more than getting anything else from
> the environment that you didn't sanitise, I don't think. So it can
> leave you more open than to the effects of incautious programming. Not
> sure if that counts.
The oss-security mailing-list folk seem to have settled on:
* Arbitrary untrusted input in environ is okay and expected, as long as
the attacker can't control the name of the variable;
* If the attacker can control the name, then it's the responsibility of
the software at the trust boundary (network server; setuid program)
to filter (to protect against `LD_PRELOAD` and friends) to a
whitelist or sane naming pattern (`HTTP_*`);
* Bad actions taken on variables with arbitrary names is a software bug
in whatever is interpreting the environ, whether a shell or anything
else;
* Bad actions on specific variables (`LD_*`) is expected and is why the
trust boundary has responsibilities.
On this basis, the zsh behaviour for three specific variables is
unexpected and unfortunate, but not a CVE-worthy security bug. But if
folk want to play safe to help vendors track disabling this unfortunate
behaviour, we could always ask for a CVE anyway, even though it
shouldn't be exploitable in any situation in which you're not already
thoroughly screwed.
-Phil
prev parent reply other threads:[~2014-10-02 18:00 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-01 19:38 Peter Stephenson
2014-10-01 19:59 ` Bart Schaefer
2014-10-02 13:37 ` Axel Beckert
2014-10-02 15:58 ` Peter Stephenson
2014-10-02 16:16 ` Bart Schaefer
2014-10-02 16:25 ` Peter Stephenson
2014-10-02 17:43 ` Phil Pennock [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141002174342.GA61223@tower.spodhuis.org \
--to=zsh-workers+phil.pennock@spodhuis.org \
--cc=p.stephenson@samsung.com \
--cc=zsh-workers@zsh.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).