From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.0 required=5.0 tests=MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_NONE autolearn=ham autolearn_force=no version=3.4.4
Received: (qmail 30111 invoked from network); 23 May 2020 02:18:32 -0000
Received: from ns1.primenet.com.au (HELO primenet.com.au) (203.24.36.2)
  by inbox.vuxu.org with ESMTPUTF8; 23 May 2020 02:18:32 -0000
Received: (qmail 4887 invoked by alias); 23 May 2020 02:18:19 -0000
Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm
Precedence: bulk
X-No-Archive: yes
List-Id: Zsh Workers List <zsh-workers.zsh.org>
List-Post: <mailto:zsh-workers@zsh.org>
List-Help: <mailto:zsh-workers-help@zsh.org>
List-Unsubscribe: <mailto:zsh-workers-unsubscribe@zsh.org>
X-Seq: 45898
Received: (qmail 1312 invoked by uid 1010); 23 May 2020 02:18:19 -0000
X-Qmail-Scanner-Diagnostics: from out2-smtp.messagingengine.com by f.primenet.com.au (envelope-from <d.s@daniel.shahaf.name>, uid 7791) with qmail-scanner-2.11 
 (clamdscan: 0.102.3/25814. spamassassin: 3.4.4.  
 Clear:RC:0(66.111.4.26):SA:0(-2.6/5.0):. 
 Processed in 4.815277 secs); 23 May 2020 02:18:19 -0000
X-Envelope-From: d.s@daniel.shahaf.name
X-Qmail-Scanner-Mime-Attachments: |
X-Qmail-Scanner-Zip-Files: |
Received-SPF: none (ns1.primenet.com.au: domain at daniel.shahaf.name does not designate permitted sender hosts)
X-ME-Sender: <xms:v4fIXsmaESYaJBbNYfj8KXhqfT30Ln2bUAwPY0yGFEy443JVfAkc6g>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedruddugedgheegucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
    uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkjghfofggtgfgsehtqh
    dttdertdejnecuhfhrohhmpeffrghnihgvlhcuufhhrghhrghfuceougdrshesuggrnhhi
    vghlrdhshhgrhhgrfhdrnhgrmhgvqeenucggtffrrghtthgvrhhnpedtudfhkefggfeggf
    evieeiheehkeethfdugeeugeeukeeifeevkeekhfeuvddtgfenucffohhmrghinheprghu
    shhtihhnghhrohhuphgsuhhgshdrnhgvthenucfkphepjeelrddujeejrddufeegrdefne
    cuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepugdrshes
    uggrnhhivghlrdhshhgrhhgrfhdrnhgrmhgv
X-ME-Proxy: <xmx:v4fIXr2Z0U2nDsHxOPVWE4z7jVO8Aw124JuQdk9RauoJOM8P5n9UjQ>
    <xmx:v4fIXqqb-gmRA-PSpBe6L8ntN3qJfXjxmUE54urbdpYYMNWpsUCoKw>
    <xmx:v4fIXolvKpkLCMtGiHlHRfbO89hVgjkZ4rVVEbDc7sdYI4xDl_tD1A>
    <xmx:wIfIXmWEDuTBLS-z6JyDzuSlt2oGz4gPU1qff7xY158v7ejRN0pbKg>
Date: Sat, 23 May 2020 02:17:32 +0000
From: Daniel Shahaf <d.s@daniel.shahaf.name>
To: zsh-workers@zsh.org
Subject: Re: [BUG] Two vulnerabilities in zsh
Message-ID: <20200523021732.73f77b73@tarpaulin.shahaf.local2>
In-Reply-To: <70e0d7c11f064b4f52354e20fba6541cb25d89d9.camel@ntlworld.com>
References: <wUyJbXo1lRhl4AYZR5ZuGgFNdYiAV1WPC7o0DRLgCliFUJuAePd3VZ2mcVzBKNW1nvmFCZMU6nd2jJ2gN2e02ioHUgzfAOjPzVUHXufMEIo=@protonmail.com>
	<20200519170418.5bc00b2f@tarpaulin.shahaf.local2>
	<c921824332bf2ca7bc6cff15bc7ffa0042b22677.camel@ntlworld.com>
	<20200520004509.741352d3@tarpaulin.shahaf.local2>
	<caf94264beca79b390e226a971864b4947b0e501.camel@ntlworld.com>
	<70e0d7c11f064b4f52354e20fba6541cb25d89d9.camel@ntlworld.com>
X-Mailer: Claws Mail 3.17.3 (GTK+ 2.24.32; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Peter Stephenson wrote on Fri, 22 May 2020 19:56 +0100:
> I believe inlined patches work from this version of Evolution...

Yes, they applied fine.  Thanks.  More below.

Peter Stephenson wrote on Fri, 22 May 2020 22:47 +0100:
> +++ b/Test/D04parameter.ztst
> @@ -2662,7 +2662,25 @@ F:behavior, see http://austingroupbugs.net/view.ph=
p?id=3D888
> -# Temporarily using the 'D' flag because it generates a "BUG:" message in
> -# debug builds only.
>   $ZTST_testdir/../Src/zsh -fc $'$\\\n('
> -1Df:regression test for workers/45843#2: escaped newline in command subs=
titution start token
> +1f:regression test for workers/45843#2: escaped newline in command subst=
itution start token
> +?(eval):1: parse error near `$('
> +

Note that you haven't removed the 'f' flag, which implies that this
test's $?/output/errput don't match the expected ones.  The 'f' flag
should be removed and the expected errput updated:

-(eval):1: parse error near `$('
+zsh:2: parse error near `$('

(That's copied from the output of =C2=ABmake check=C2=BB after removing the=
 'f' flag.)

> + eval $'echo $\\\n(printf "%d\\n" $(( 4 + 2 )) )'
> +0:Normal command substitution with escaped newline
> +>6 =20

This test fails on my machine:

--- /tmp/zsh.ztst.24422/ztst.out        2020-05-23 02:11:04.239080323 +0000=
                                                                           =
                                                             =20
+++ /tmp/zsh.ztst.24422/ztst.tout       2020-05-23 02:11:04.239080323 +0000
@@ -1 +1 @@
-6 =20
+6
Test /home/daniel/src/zsh/./Test/D04parameter.ztst failed: output differs f=
rom expected as shown above for:
 eval $'echo $\\\n(printf "%d\\n" $(( 4 + 2 )) )'
Was testing: Normal command substitution with escaped newline

The difference is two trailing spaces in the expected output that are missi=
ng from the actual output.

The other new tests seem to have the same issue.

Thanks,

Daniel