From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 8584 invoked by alias); 24 Sep 2014 15:05:30 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: X-Seq: 33233 Received: (qmail 5413 invoked from network); 24 Sep 2014 15:05:27 -0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on f.primenet.com.au X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW, SPF_HELO_PASS autolearn=ham version=3.3.2 Message-ID: <5422DC46.80701@case.edu> Date: Wed, 24 Sep 2014 10:59:18 -0400 From: Chet Ramey Reply-To: chet.ramey@case.edu User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: =?UTF-8?B?xLBzbWFpbCBEw7ZubWV6?= , "Zsh Hackers' List" CC: chet.ramey@case.edu Subject: Re: zsh seems to be vulnerable to CVE-2014-6271: remote code execution through bash References: In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Junkmail-Status: score=10/50, host=mpv6.cwru.edu X-Junkmail-Whitelist: YES (by domain whitelist at mpv1.tis.cwru.edu) On 9/24/14, 10:45 AM, İsmail Dönmez wrote: > According to the vulnerability test in > https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/ > > [~]> echo $ZSH_VERSION > 5.0.6 > > [~]> env x='() { :;}; echo vulnerable' bash -c "echo this is a test" > vulnerable > this is a test > > Looks like zsh is vulnerable too. This doesn't mean zsh is vulnerable; only that it can be used to run `env' to craft the environment variable. Chet -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, ITS, CWRU chet@case.edu http://cnswww.cns.cwru.edu/~chet/