* Shellshock in zsh
@ 2014-09-25 13:29 Boyan Penkov
2014-09-25 13:35 ` Peter Stephenson
2014-09-25 13:56 ` Chet Ramey
0 siblings, 2 replies; 3+ messages in thread
From: Boyan Penkov @ 2014-09-25 13:29 UTC (permalink / raw)
To: zsh-workers; +Cc: Adrian Bradd
[-- Attachment #1: Type: text/plain, Size: 431 bytes --]
Hey folks,
I’m writing to ask about zsh and Shellshock. Since bash is affected, is zsh affected as well? Two of us took a look, and we think it may be.
Specifically, following these steps — https://access.redhat.com/articles/1200223 — in zsh 5.0.6 on OS 10.9.5 and zsh 5.0.2 on OS 10.9.4 yields the “vulnerable” output.
Please let us know how we may be able to help.
Cheers!
--
Boyan Penkov
www.boyanpenkov.com
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Shellshock in zsh
2014-09-25 13:29 Shellshock in zsh Boyan Penkov
@ 2014-09-25 13:35 ` Peter Stephenson
2014-09-25 13:56 ` Chet Ramey
1 sibling, 0 replies; 3+ messages in thread
From: Peter Stephenson @ 2014-09-25 13:35 UTC (permalink / raw)
To: Boyan Penkov, zsh-workers; +Cc: Adrian Bradd
On Thu, 25 Sep 2014 09:29:08 -0400
Boyan Penkov <boyan.penkov@gmail.com> wrote:
> I’m writing to ask about zsh and Shellshock. Since bash is affected,
> is zsh affected as well? Two of us took a look, and we think it may
> be.
>
> Specifically, following these steps —
> https://access.redhat.com/articles/1200223 — in zsh 5.0.6 on OS 10.9.5
> and zsh 5.0.2 on OS 10.9.4 yields the “vulnerable” output.
No, it isn't. See the existing thread starting at:
http://www.zsh.org/mla/workers/2014/msg01016.html
(Hmmm... as the "steps" involve executing bash I'd have thought it was
obvious you needed to try with bash -> zsh inside the command line, but
apparently it isn't. Is there anyone from redhat not already running
round in circles that would be able to make that clearer?)
pws
--
Peter Stephenson <p.stephenson@samsung.com> Principal Software Engineer
Tel: +44 (0)1223 434724 Samsung Cambridge Solution Centre
St John's House, St John's Innovation Park, Cowley Road,
Cambridge, CB4 0DS, UK
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Shellshock in zsh
2014-09-25 13:29 Shellshock in zsh Boyan Penkov
2014-09-25 13:35 ` Peter Stephenson
@ 2014-09-25 13:56 ` Chet Ramey
1 sibling, 0 replies; 3+ messages in thread
From: Chet Ramey @ 2014-09-25 13:56 UTC (permalink / raw)
To: Boyan Penkov, zsh-workers; +Cc: chet.ramey, Adrian Bradd
On 9/25/14, 9:29 AM, Boyan Penkov wrote:
> Hey folks,
>
> I’m writing to ask about zsh and Shellshock. Since bash is affected, is zsh affected as well? Two of us took a look, and we think it may be.
>
> Specifically, following these steps — https://access.redhat.com/articles/1200223 — in zsh 5.0.6 on OS 10.9.5 and zsh 5.0.2 on OS 10.9.4 yields the “vulnerable” output.
zsh is not vulnerable; it does not use the environment to export functions.
The example
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
^^^^
||||
runs bash with the specially-crafted variable in the environment regardless
of the shell you use to execute that command line.
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU chet@case.edu http://cnswww.cns.cwru.edu/~chet/
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-09-25 13:56 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-09-25 13:29 Shellshock in zsh Boyan Penkov
2014-09-25 13:35 ` Peter Stephenson
2014-09-25 13:56 ` Chet Ramey
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).