Re: Zsh - Multiple DoS Vulnerabilities

[Oliver Kiddle <okiddle@yahoo.co.uk>]

On 10 May, Bart wrote:
> On Fri, May 10, 2019 at 8:04 AM David Wells <bughunters@tenable.com> wrote:
> >
> >     #1 Invalid read from *taddrstr *call in *text.c*
> >     POC folder: *01_taddstr_(text.c_148)*
>
> and then (several seconds later) a crash.
>
> The following minimal subset of their test will put the shell into an
> infinite loop, without (at least for as long as I was willing to wait)
> crashing it:
>
> if true; then me > you || !
> :
> fi

I'm finding this one will crash on Linux but hang on FreeBSD. And not
crash with true as the condition. A variety of things can be used in the
condition. while .. do .. done can be used in place of if .. then .. fi,
&& or ||. The me > you part can be cut down to :. Try the following:

  if [[ m -eq y ]]; then
    : && !
    :
  fi

Where I had a crash, it was interpreting the wordcode in ecgetstr().
Where it does r = s->strs + (c >> 2), c had an infeasibly large value
causing it to index well beyond the range of s->strs. I'd be inclined to
suspect the problem comes earlier when parsing this into wordcode.

Issues #2, #3 and #5 are not separate issues but slight variations all
leading to the typeset followed by braces bug. So thanks to Peter, I think
those are all now fixed leaving this (#1) as the only one outstanding.

Oliver