From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zsh-workers-return-33248-mason-zsh=primenet.com.au@zsh.org>
Received: (qmail 10637 invoked by alias); 25 Sep 2014 13:56:37 -0000
Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm
Precedence: bulk
X-No-Archive: yes
List-Id: Zsh Workers List <zsh-workers.zsh.org>
List-Post: <mailto:zsh-workers@zsh.org>
List-Help: <mailto:zsh-workers-help@zsh.org>
X-Seq: 33248
Received: (qmail 17151 invoked from network); 25 Sep 2014 13:56:34 -0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on f.primenet.com.au
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW,
	SPF_HELO_PASS autolearn=ham version=3.3.2
Message-ID: <54241F0B.8080400@case.edu>
Date: Thu, 25 Sep 2014 09:56:27 -0400
From: Chet Ramey <chet.ramey@case.edu>
Reply-To: chet.ramey@case.edu
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Boyan Penkov <boyan.penkov@gmail.com>, zsh-workers@zsh.org
CC: chet.ramey@case.edu, Adrian Bradd <ab4042@columbia.edu>
Subject: Re: Shellshock in zsh
References: <9D3C0670-6D81-4DE9-8E34-49D5835C3EA8@gmail.com>
In-Reply-To: <9D3C0670-6D81-4DE9-8E34-49D5835C3EA8@gmail.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 8bit
X-Junkmail-Status: score=10/50, host=mpv6.cwru.edu
X-Junkmail-Whitelist: YES (by domain whitelist at mpv1.tis.cwru.edu)

On 9/25/14, 9:29 AM, Boyan Penkov wrote:
> Hey folks,
> 
> I’m writing to ask about zsh and Shellshock.  Since bash is affected, is zsh affected as well?  Two of us took a look, and we think it may be.
> 
> Specifically, following these steps — https://access.redhat.com/articles/1200223 — in zsh 5.0.6 on OS 10.9.5 and zsh 5.0.2 on OS 10.9.4 yields the “vulnerable” output.

zsh is not vulnerable; it does not use the environment to export functions.
The example

env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"
                                   ^^^^
                                   ||||

runs bash with the specially-crafted variable in the environment regardless
of the shell you use to execute that command line.

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
		 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU    chet@case.edu    http://cnswww.cns.cwru.edu/~chet/