Re: zsh 5.0.7 released

Re: zsh 5.0.7 released

[Peter Stephenson]

 Oct 2014 09:55:50 -0400
shawn wilson <ag4ve.us@gmail.com> wrote:
> On Oct 8, 2014 9:56 PM, "Peter Stephenson" <p.w.stephenson@ntlworld.com>
> wrote:
> >
> > Version 5.0.7 of zsh is released.  You can get it from
> > http://www.zsh.org/pub and mirrors (see below).  This is a stable
> > release.  There are minor new features as well as bug fixes since 5.0.6.
> >
> > Note in particular there is a security fix to disallow evaluation of the
> > initial values of integer variables imported from the environment (they
> > are instead treated as literal numbers).  That could allow local
> > privilege escalation, under some specific and atypical conditions where
> > zsh is being invoked in privilege elevation contexts when the
> > environment has not been properly sanitized, such as when zsh is invoked
> > by sudo on systems where "env_reset" has been disabled.
> >
> 
> Was this security issue in SSH discussed on the list somewhere (I can't
> seem to find other mention of it outside the readme - not even direct
> mention in changelog or git log)...?

I don't know of an ssh issue,  but the sudo issue was discussed offline.

The original point about sanitising integer imports, however, was discussed
here.

pws

Re: zsh 5.0.7 released

[shawn wilson]

[-- Attachment #1: Type: text/plain, Size: 1470 bytes --]

Yay cellphone auto correct
On Oct 9, 2014 4:48 PM, "Peter Stephenson" <p.w.stephenson@ntlworld.com>
wrote:
>
>  Oct 2014 09:55:50 -0400
> shawn wilson <ag4ve.us@gmail.com> wrote:
> > On Oct 8, 2014 9:56 PM, "Peter Stephenson" <p.w.stephenson@ntlworld.com>
> > wrote:
> > >
> > > Version 5.0.7 of zsh is released.  You can get it from
> > > http://www.zsh.org/pub and mirrors (see below).  This is a stable
> > > release.  There are minor new features as well as bug fixes since
5.0.6.
> > >
> > > Note in particular there is a security fix to disallow evaluation of
the
> > > initial values of integer variables imported from the environment
(they
> > > are instead treated as literal numbers).  That could allow local
> > > privilege escalation, under some specific and atypical conditions
where
> > > zsh is being invoked in privilege elevation contexts when the
> > > environment has not been properly sanitized, such as when zsh is
invoked
> > > by sudo on systems where "env_reset" has been disabled.
> > >
> >
> > Was this security issue in SSH discussed on the list somewhere (I can't

s/SSH/bash/

> > seem to find other mention of it outside the readme - not even direct
> > mention in changelog or git log)...?
>

And I was referring to the zsh readme, changelog, git log.

> I don't know of an ssh issue,  but the sudo issue was discussed offline.
>
> The original point about sanitising integer imports, however, was
discussed
> here.

Huh, I'll look again.

Re: zsh 5.0.7 released

[Bart Schaefer]

On Oct 9,  6:41pm, shawn wilson wrote:
}
} > > > privilege escalation, under some specific and atypical conditions
} > > > where zsh is being invoked in privilege elevation contexts when the
} > > > environment has not been properly sanitized, such as when zsh is
} > > > invoked by sudo on systems where "env_reset" has been disabled.
} > >
} > > Was this security issue in SSH discussed on the list somewhere (I can't
} 
} s/SSH/bash/

Did you mean zsh instead of bash?

} > > seem to find other mention of it outside the readme - not even direct
} > > mention in changelog or git log)...?
} 
} And I was referring to the zsh readme, changelog, git log.

The paragraph about "privilege escalation" quoted above appears at the
top of the README file.

Change log entry is this:

2014-09-29  Peter Stephenson  <p.stephenson@samsung.com>

        * users/19183: Src/hist.c: handle unlikely error case with
        fdopen() better.

        * 33276: Src/params.c, Src/zsh.h: safer import of numerical
        variables from environment.

The git log is very brief and is the same as the 33276 ChangeLog.


} > I don't know of an ssh issue,  but the sudo issue was discussed offline.
} >
} > The original point about sanitising integer imports, however, was
} discussed
} > here.
} 
} Huh, I'll look again.

The first mention of the integer import problem on the list is here:

    http://www.zsh.org/mla/workers/2014/msg01041.html

-- 
Barton E. Schaefer

Re: zsh 5.0.7 released

[Simon Ruderich]

[-- Attachment #1: Type: text/plain, Size: 688 bytes --]

On Wed, Oct 08, 2014 at 07:38:35PM +0100, Peter Stephenson wrote:
> Version 5.0.7 of zsh is released.  You can get it from
> http://www.zsh.org/pub and mirrors (see below).  This is a stable
> release.  There are minor new features as well as bug fixes since 5.0.6.

Hello,

I've updated the website [1] for this release. The commits are in
the public web repository [2] (f4795e, d6e3cb; tag zsh-5.0.7). If
you find any problems/mistakes please tell me.

Regards
Simon

[1]: http://zsh.sourceforge.net/
[2]: http://zsh.git.sourceforge.net/git/gitweb.cgi?p=zsh/web;a=summary
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: zsh 5.0.7 released

[shawn wilson]

[-- Attachment #1: Type: text/plain, Size: 1617 bytes --]

Ty
On Oct 9, 2014 9:53 PM, "Bart Schaefer" <schaefer@brasslantern.com> wrote:

> On Oct 9,  6:41pm, shawn wilson wrote:
> }
> } > > > privilege escalation, under some specific and atypical conditions
> } > > > where zsh is being invoked in privilege elevation contexts when the
> } > > > environment has not been properly sanitized, such as when zsh is
> } > > > invoked by sudo on systems where "env_reset" has been disabled.
> } > >
> } > > Was this security issue in SSH discussed on the list somewhere (I
> can't
> }
> } s/SSH/bash/
>
> Did you mean zsh instead of bash?
>
> } > > seem to find other mention of it outside the readme - not even direct
> } > > mention in changelog or git log)...?
> }
> } And I was referring to the zsh readme, changelog, git log.
>
> The paragraph about "privilege escalation" quoted above appears at the
> top of the README file.
>
> Change log entry is this:
>
> 2014-09-29  Peter Stephenson  <p.stephenson@samsung.com>
>
>         * users/19183: Src/hist.c: handle unlikely error case with
>         fdopen() better.
>
>         * 33276: Src/params.c, Src/zsh.h: safer import of numerical
>         variables from environment.
>
> The git log is very brief and is the same as the 33276 ChangeLog.
>
>
> } > I don't know of an ssh issue,  but the sudo issue was discussed
> offline.
> } >
> } > The original point about sanitising integer imports, however, was
> } discussed
> } > here.
> }
> } Huh, I'll look again.
>
> The first mention of the integer import problem on the list is here:
>
>     http://www.zsh.org/mla/workers/2014/msg01041.html
>
> --
> Barton E. Schaefer
>