From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 4448 invoked by alias); 2 Oct 2014 18:00:34 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: X-Seq: 33336 Received: (qmail 27323 invoked from network); 2 Oct 2014 18:00:20 -0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on f.primenet.com.au X-Spam-Level: X-Spam-Status: No, score=-4.3 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_MED,SPF_HELO_PASS,UNPARSEABLE_RELAY autolearn=ham version=3.3.2 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=spodhuis.org; s=d201408; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To:From:Date; bh=PeS1wmqNY7VZVs9hYMi9GL9nHkKNditn9ABLnfCxDNA=; b=SxdXD7x1Y+QdkTG1s1FiDGCN9Oy2cHnITgbwphHwat/hN4BSYeZnKcKsWu5XaiyarfCFE+9ST2FqyW6nOPSLDi+KrCBIjerIm8vLLLyZVT8cJ1AmpJwL/W/oXvCXMuo9oLNPUHpGfGYhhT6lFYPGu3xAfo1sMxM3f4n6m0OJZMKqzpiZ6GgIGLMz0/BXjtjjARXwJFnnmYBciz4k; Date: Thu, 2 Oct 2014 17:43:42 +0000 From: Phil Pennock To: Peter Stephenson Cc: Zsh Hackers' List Subject: Re: zsh 5.0.7 Message-ID: <20141002174342.GA61223@tower.spodhuis.org> Mail-Followup-To: Peter Stephenson , Zsh Hackers' List References: <20141001203847.2a7c000d@pws-pc.ntlworld.com> <20141002165807.0dc13b68@pwslap01u.europe.root.pri> <141002091656.ZM12380@torch.brasslantern.com> <20141002172554.1eff5ce9@pwslap01u.europe.root.pri> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20141002172554.1eff5ce9@pwslap01u.europe.root.pri> OpenPGP: url=https://www.security.spodhuis.org/PGP/keys/0x4D1E900E14C1CC04.asc On 2014-10-02 at 17:25 +0100, Peter Stephenson wrote: > On Thu, 02 Oct 2014 09:16:56 -0700 > Bart Schaefer wrote: > > On Oct 2, 4:58pm, Peter Stephenson wrote: > > } > > } Source distribution documentation. Does this sound right? > > > > I'd leave out the word "major" -- we don't know of any exploits, do we? > > Nothing that would screw you up any more than getting anything else from > the environment that you didn't sanitise, I don't think. So it can > leave you more open than to the effects of incautious programming. Not > sure if that counts. The oss-security mailing-list folk seem to have settled on: * Arbitrary untrusted input in environ is okay and expected, as long as the attacker can't control the name of the variable; * If the attacker can control the name, then it's the responsibility of the software at the trust boundary (network server; setuid program) to filter (to protect against `LD_PRELOAD` and friends) to a whitelist or sane naming pattern (`HTTP_*`); * Bad actions taken on variables with arbitrary names is a software bug in whatever is interpreting the environ, whether a shell or anything else; * Bad actions on specific variables (`LD_*`) is expected and is why the trust boundary has responsibilities. On this basis, the zsh behaviour for three specific variables is unexpected and unfortunate, but not a CVE-worthy security bug. But if folk want to play safe to help vendors track disabling this unfortunate behaviour, we could always ask for a CVE anyway, even though it shouldn't be exploitable in any situation in which you're not already thoroughly screwed. -Phil