From: Oliver Kiddle <okiddle@yahoo.co.uk>
To: David Wells <bughunters@tenable.com>,
"zsh-workers@zsh.org" <zsh-workers@zsh.org>
Subject: Re: Zsh - Multiple DoS Vulnerabilities
Date: Mon, 13 May 2019 23:44:25 +0200 [thread overview]
Message-ID: <8578-1557783865.661501@UTJ_.q-YD.8lmQ> (raw)
In-Reply-To: <CAH+w=7Y8d0h43rM_dHhbiT8nvL3-zxF8DUWTjn--hPX8sF7iaA@mail.gmail.com>
> On Fri, May 10, 2019 at 8:04 AM David Wells <bughunters@tenable.com> wrote:
> > #4 Invalid read from *bin_print *in *builtin.c*
> > POC folder: *04_bin_print_(builtin.c_5009)*
This seems to be very similar to #6: string to int conversion
overflowing to a negative number. In this case you can reproduce it
with just:
printf '%4444444444444$'
Note that narg below is of type int despite the use of strtoul().
Oliver
diff --git a/Src/builtin.c b/Src/builtin.c
index ca0ce35f5..a8f054c8a 100644
--- a/Src/builtin.c
+++ b/Src/builtin.c
@@ -4990,8 +4990,7 @@ bin_print(char *name, char **args, Options ops, int func)
narg = strtoul(c, &endptr, 0);
if (*endptr == '$') {
c = endptr + 1;
- DPUTS(narg <= 0, "specified zero or negative arg");
- if (narg > argc) {
+ if (narg <= 0 || narg > argc) {
zwarnnam(name, "%d: argument specifier out of range",
narg);
if (fout != stdout)
next prev parent reply other threads:[~2019-05-13 21:45 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-10 15:03 David Wells
2019-05-10 16:37 ` Bart Schaefer
2019-05-12 16:21 ` Stephane Chazelas
2019-05-13 16:29 ` David Wells
2019-05-13 22:02 ` Bart Schaefer
2019-05-14 18:10 ` Stephane Chazelas
2019-05-14 21:24 ` Daniel Shahaf
2019-05-14 21:38 ` Bart Schaefer
2019-05-14 21:39 ` Daniel Shahaf
2019-05-14 22:25 ` Bart Schaefer
2019-05-15 10:48 ` Daniel Shahaf
2019-05-31 12:05 ` [PATCH] [doc] [repost] warnings about restricted shell (Was: Zsh - Multiple DoS Vulnerabilities) Stephane Chazelas
2019-06-03 9:35 ` Peter Stephenson
2019-06-04 2:39 ` dana
2019-06-04 7:34 ` dana
2019-05-10 20:27 ` Zsh - Multiple DoS Vulnerabilities Bart Schaefer
2019-05-11 1:45 ` #7 (typeset -Tp) (was Re: Zsh - Multiple DoS Vulnerabilities) Oliver Kiddle
2019-05-13 9:01 ` Peter Stephenson
2019-05-13 21:11 ` PATCH: #6 negative job id (Re: " Oliver Kiddle
2019-05-13 21:44 ` Oliver Kiddle [this message]
2019-05-13 22:36 ` #3 typeset and braces " Oliver Kiddle
2019-05-14 0:13 ` Mikael Magnusson
2019-05-14 5:38 ` Bart Schaefer
2019-05-14 10:50 ` Peter Stephenson
2019-05-14 16:38 ` Zsh - Multiple DoS Vulnerabilities Peter Stephenson
2019-05-14 20:30 ` Oliver Kiddle
2019-05-15 16:50 ` Mikael Magnusson
2019-05-16 20:37 ` Peter Stephenson
2019-05-17 13:41 ` Mikael Magnusson
2019-05-17 13:51 ` Mikael Magnusson
2019-05-17 14:28 ` Mikael Magnusson
2019-05-18 10:31 ` Oliver Kiddle
2019-05-21 14:43 ` Oliver Kiddle
[not found] ` <CGME20190521154256eucas1p1f0816d2467abd8bf4a0c31058af2983a@eucas1p1.samsung.com>
2019-05-21 15:42 ` Peter Stephenson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8578-1557783865.661501@UTJ_.q-YD.8lmQ \
--to=okiddle@yahoo.co.uk \
--cc=bughunters@tenable.com \
--cc=zsh-workers@zsh.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).