From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-1.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from primenet.com.au (ns1.primenet.com.au [203.24.36.2]) by inbox.vuxu.org (OpenSMTPD) with ESMTP id 6b31a04c for ; Tue, 14 May 2019 20:31:35 +0000 (UTC) Received: (qmail 5425 invoked by alias); 14 May 2019 20:31:20 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: List-Unsubscribe: X-Seq: 44299 Received: (qmail 6301 invoked by uid 1010); 14 May 2019 20:31:20 -0000 X-Qmail-Scanner-Diagnostics: from park01.gkg.net by f.primenet.com.au (envelope-from , uid 7791) with qmail-scanner-2.11 (clamdscan: 0.101.2/25447. spamassassin: 3.4.2. Clear:RC:0(205.235.26.22):SA:0(-1.9/5.0):. Processed in 2.8468 secs); 14 May 2019 20:31:20 -0000 X-Envelope-From: SRS0=Blfo=TO=yahoo.co.uk=okiddle@bounces.park01.gkg.net X-Qmail-Scanner-Mime-Attachments: | X-Qmail-Scanner-Zip-Files: | Received-SPF: pass (ns1.primenet.com.au: SPF record at bounces.park01.gkg.net designates 205.235.26.22 as permitted sender) X-Virus-Scanned: by amavisd-new at gkg.net Authentication-Results: amavisd4.gkg.net (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.co.uk X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.co.uk; s=s2048; t=1557865834; bh=AVma4g8tj0gXSbSWMoGQ0IAT8Sq/zxCA3qLRWRSoVro=; h=From:References:To:Subject:Date:From:Subject; b=CimIM4TOYGPXirOosxF/34H6kqMf9kWLpJ+gcODPTeh+DE+AWskvrO6wwZ4ZE/wotNfGA3SyRbH7grL/0upLN1HuTOiIgQkdNTK07Ab6+0DfSSj1eSfT9FOj+5QvlZo1WtAOSID12VyxjR4cOxhYF/a4ocSl1xkAebZgIz+bqiWXyIARjB+l+fjwzWC1JxPH+JiHXt/zqxRlNmUQhQub7lY4nWT3TjJunSIfmFCUrtkQsEpCDvlCG9RwD9ThL9/6bie4byp4DJGITKMmlLvKPkEfE3j+A/2gUyFsSvlPrblFQcDdzK8jdSQBLTPNon3Zc/IjS9/4B7rQhFG2dBtdGA== X-YMail-OSG: VdZHeo4VM1kE0A.0l4fRwGb_1dNvDrbTb8O1tGjlPlT2fWNQbz4jENmGg73sIBz rPBQYoFvi4g7xIGlY2qnoGfbvOEzvS3SoMSspy.YtRPmIxu6klOsu2eJnY5hg7KNTtDh9w.vBpPP bylfBVmrqxhZGRLw7epiG.HWCuxwF2S2VWa80WLf2p9A5yyCWQQChGW97g8Koqb0uoxJQkrP6rsH .kAZ4BwIA0IfjU1sxgLU60F7Q287PdXTbzz1HDU1C7hEQyuDvoKuwvj4a9XlvAjovi5yuUXTuXEI 4sdwbtGEUn90jVkmE9bA3lYrnT5dZ06HHw7wEVYMgwPL_gL5E7iiPp4FfZjBE5i2UHok0hTEKO.S D1IabXU7P83w8EYImF0PtT3xOJD8QYW7saq5fBiTA_a01Cia9XvbgVf.Kyen9CwqU2JTdJlxp7Qe qS5p_gwLQK4J.vVNnHUR70ADYAADRzOpOfGBxcMmBGR_TS5xHYuMQZCYDWPbl1tVbmQYu2Gt0O33 Gf.FRDE2PLUp..V5qxS8dyzoWg9iMtmSV5R7bFr8S3RAjekEIWQlnkPvPdhSq40hQT9vkEUpwomq 2SkuMNDG94x0au7dQS1rnrbvDWDtalBpdmWqmbDX4NrOX9RS5LpDTwmAMO8EUybw6VS9i0rX4vQf x8bkSRvtLF1x.C1ZcVc_6fv5P.TFN96FbGsF0tiLQ1ju5q5NEc9H1yKQfjXv8qH4fz4.x1IjZugd azHrJuMkppw2_6w2u_2VbE6MEkPALFZNpI8Wodsu7ZCVcPIFeWdzjSDNA4ZGBhpuobrREmA9OUcf 7NGqV9zl57nIBel.DyNMgyTnUsrZ9dyK0e01HCUQRLO3rPcb8Ae8UgA8u8oKzr5dDPhsRlQsPv9k AJlsIBYOX63iuUmlCvYnxKE_SVt9UIFJU3LdayqjP1k7udx7mqj6SDhBCHRvmkZHr1CZJnvlP19E jY4oA9sFxdBkxzGQBvxuTlS7Xb9e5WQ_Md9uPZm6KABowPln1SgIWhyo8KNWQw4y1bCpvje1Ezhg W673CCy_m7sJivIEpw8rKrpwBVBiRwklQzi1mkGpJn73osLXZ.lmRrisbeTktFI8W56Zj0lKtbvl EFEiTGVv4AuuzO6RrMNQQyeXyRsbDhxxRn5G5q37BK3rztZAHekJeLuw- In-reply-to: From: Oliver Kiddle References: To: Zsh workers Subject: Re: Zsh - Multiple DoS Vulnerabilities MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <21435.1557865831.1@hydra> Date: Tue, 14 May 2019 22:30:31 +0200 Message-ID: <21436-1557865831.121649@2P7I.HAU9.QsaG> On 10 May, Bart wrote: > On Fri, May 10, 2019 at 8:04 AM David Wells wrote: > > > > #1 Invalid read from *taddrstr *call in *text.c* > > POC folder: *01_taddstr_(text.c_148)* > > and then (several seconds later) a crash. > > The following minimal subset of their test will put the shell into an > infinite loop, without (at least for as long as I was willing to wait) > crashing it: > > if true; then me > you || ! > : > fi I'm finding this one will crash on Linux but hang on FreeBSD. And not crash with true as the condition. A variety of things can be used in the condition. while .. do .. done can be used in place of if .. then .. fi, && or ||. The me > you part can be cut down to :. Try the following: if [[ m -eq y ]]; then : && ! : fi Where I had a crash, it was interpreting the wordcode in ecgetstr(). Where it does r = s->strs + (c >> 2), c had an infeasibly large value causing it to index well beyond the range of s->strs. I'd be inclined to suspect the problem comes earlier when parsing this into wordcode. Issues #2, #3 and #5 are not separate issues but slight variations all leading to the typeset followed by braces bug. So thanks to Peter, I think those are all now fixed leaving this (#1) as the only one outstanding. Oliver