From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zsh-workers-return-44302-ml=inbox.vuxu.org@zsh.org>
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=ham
	autolearn_force=no version=3.4.2
Received: from primenet.com.au (ns1.primenet.com.au [203.24.36.2])
	by inbox.vuxu.org (OpenSMTPD) with ESMTP id c264792d
	for <ml@inbox.vuxu.org>;
	Tue, 14 May 2019 21:39:56 +0000 (UTC)
Received: (qmail 25946 invoked by alias); 14 May 2019 21:39:46 -0000
Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm
Precedence: bulk
X-No-Archive: yes
List-Id: Zsh Workers List <zsh-workers.zsh.org>
List-Post: <mailto:zsh-workers@zsh.org>
List-Help: <mailto:zsh-workers-help@zsh.org>
List-Unsubscribe: <mailto:zsh-workers-unsubscribe@zsh.org>
X-Seq: 44302
Received: (qmail 11788 invoked by uid 1010); 14 May 2019 21:39:46 -0000
X-Qmail-Scanner-Diagnostics: from out2-smtp.messagingengine.com by f.primenet.com.au (envelope-from <d.s@daniel.shahaf.name>, uid 7791) with qmail-scanner-2.11 
 (clamdscan: 0.101.2/25447. spamassassin: 3.4.2.  
 Clear:RC:0(66.111.4.26):SA:0(-2.6/5.0):. 
 Processed in 0.744406 secs); 14 May 2019 21:39:46 -0000
X-Envelope-From: d.s@daniel.shahaf.name
X-Qmail-Scanner-Mime-Attachments: |
X-Qmail-Scanner-Zip-Files: |
Received-SPF: none (ns1.primenet.com.au: domain at daniel.shahaf.name does not designate permitted sender hosts)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	daniel.shahaf.name; h=mime-version:message-id:in-reply-to
	:references:date:from:to:cc:subject:content-type
	:content-transfer-encoding; s=fm3; bh=TjAZKkyJVBcE63EdYdSDCYzhx6
	9A6D75J3LtG4p2jVM=; b=TiGxMdJnGFbPZswNe0MFC1rfMdETH5oUIULnLnEpqW
	rzDJ/OdU0hly99exV0m3v9m9dZA2/rnnowD4poVN1FEaxN5PvBfK5/fQdcinRbwW
	PD0SllMHKdjccxBrLzQtuZ7Dj8/l7T6ND3Wj2WIxxAsMh7X5j7s09EPhqTVVIwHc
	Bp8nH+UMdyl/2fsGQQjm2cGn7kpReFhA4X47njuMxfWAIKuoY89KA068c34LoScd
	0Oc42FEhBN9K18AI6jRw8HPOVzY2SWrH3dRyylWrzntSu3vWadYOv8xkoXDtf7qI
	bEz3xVIptxFZWkUu/jr2L74t8h3GgOEqb8F1ueZ5KO8A==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:content-transfer-encoding:content-type
	:date:from:in-reply-to:message-id:mime-version:references
	:subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender
	:x-sasl-enc; s=fm2; bh=TjAZKkyJVBcE63EdYdSDCYzhx69A6D75J3LtG4p2j
	VM=; b=PO/6u/wqEpP3QprZduPHE896jJGt31zBeo2JRjLOCo7Nqat257bF9Aj9e
	89FC63pX59YYUDuzxK/Do4tbvkvFyn5EyMCqoilk2WOdOIvSjdL3VJKkS33x5Llo
	l3A0Lz11+Gd9tykBuBT5iOgzdi014Skaq5dW/ckSIkyw/o7Hw5tzUlwW111FDPO9
	ms+Er4/Ste2Zxx+4DTmmUSoRlwqCTTJFttW7F+3JpprrrDbuBEgZGS8iYAP6vdzv
	YMCM6jBvWQ/zSGmOC5quSmht9VZdVgHTQBIVN8nh5l3hFyJdT/URqyfYH5RP45sp
	xFfo83iIVbiBlW75yI+SE89npDxKA==
X-ME-Sender: <xms:fzXbXJaVnNYajZwMapnV-B60fzY41FqqD41M7QFbaz8GBda5gogkoQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduuddrleejucetufdoteggodetrfdotffvucfrrh
    hofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgenuceurghi
    lhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtgfesthhqredtre
    erjeenucfhrhhomhepfdffrghnihgvlhcuufhhrghhrghffdcuoegurdhssegurghnihgv
    lhdrshhhrghhrghfrdhnrghmvgeqnecurfgrrhgrmhepmhgrihhlfhhrohhmpegurdhsse
    gurghnihgvlhdrshhhrghhrghfrdhnrghmvgenucevlhhushhtvghrufhiiigvpedt
X-ME-Proxy: <xmx:fzXbXG2WIhPlLgYMvT7SypVQZ4TSPdBQ1qfp7LVkJmk41VyodXZDoA>
    <xmx:fzXbXJeuajU7tR1mcuftLmTxSZyCIXMc723DKj0l0VxK79wFq9Ja1A>
    <xmx:fzXbXAAONvu00kmQN0eYMsEcw8J4969UrcCSTW5ZPuwUVDTTYBC5qA>
    <xmx:fzXbXMMj5xjRrpcW_0tlO_YR0ky_Dg0wWWg2-nwo_Fi5yPKCPCclVQ>
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.6-532-g5582127-fmstable-20190514v6
Mime-Version: 1.0
Message-Id: <54c02a72-cbcf-4036-9a72-7df24c0041d2@www.fastmail.com>
In-Reply-To: <20190514181026.u4myftmekdtqkhme@chaz.gmail.com>
References: 
 <CAAOKOsfSAR5aRBvEcyQKRzDCvOgRJdyRvVb9AXMq6d22RaUozQ@mail.gmail.com>
 <CAH+w=7YSL2eLRWeXaZj09er-v4noxuALxAum5Zj4awLP=7mQRQ@mail.gmail.com>
 <20190512162149.3fsqupqftmwxrbvd@chaz.gmail.com>
 <CAAOKOsfq-BDfbD1MD01f-soJdhK=rbvr-1kHubCs9uT4GNhG0g@mail.gmail.com>
 <20190514181026.u4myftmekdtqkhme@chaz.gmail.com>
Date: Tue, 14 May 2019 21:39:06 +0000
From: "Daniel Shahaf" <d.s@daniel.shahaf.name>
To: "David Wells" <bughunters@tenable.com>
Cc: zsh-workers@zsh.org
Subject: Re: Zsh - Multiple DoS Vulnerabilities
Content-Type: text/plain;charset=utf-8
Content-Transfer-Encoding: quoted-printable

[sorry for double send]

Stephane Chazelas wrote on Tue, 14 May 2019 18:11 +00:00:
> IMO, from a security standpoint, it's not very useful to fuzz
> "code" input provided to zsh, as anyway any "code" allows zsh to
> run any arbitrary command (except for the restricted mode). In
> other words, the "code" is generally not the attacker supplied
> data.

Sounds right.

I've been trying to come up with counterexamples.  What if somebody
installed a /etc/zshenv that does, say, 'disable zmodload enable'?
If that actually prevents zmodload from being run,=C2=B9 then a bug that=

allows zmodload to be run would be interesting.

Cheers,

Daniel

=C2=B9 I'm not sure it does because there might be some other way to run=

zmodload =E2=80=94 an assignment to $modules, maybe?  (Don't have time t=
o test
this, sorry.)