Re: zsh seems to be vulnerable to CVE-2014-6271: remote code execution through bash

zsh-workers
 help / color / mirror / code / Atom feed

From: Frank Terbeck <ft@bewatermyfriend.org>
To: Peter Stephenson <p.stephenson@samsung.com>
Cc: Zsh Hackers' List <zsh-workers@zsh.org>
Subject: Re: zsh seems to be vulnerable to CVE-2014-6271: remote code execution through bash
Date: Wed, 24 Sep 2014 17:08:43 +0200	[thread overview]
Message-ID: <87bnq5vyx0.fsf@ft.bewatermyfriend.org> (raw)
In-Reply-To: <20140924160119.313cbdcd@pwslap01u.europe.root.pri> (Peter Stephenson's message of "Wed, 24 Sep 2014 16:01:19 +0100")

Peter Stephenson wrote:
> On Wed, 24 Sep 2014 16:54:10 +0200
> Frank Terbeck <ft@bewatermyfriend.org> wrote:
>> Bash has this weird feature, where you can "export functions". I suspect
>> that's what's happening here. Zsh doesn't have this feature. Thankfully.
>
> I was going to suggest the same.  Can anyone less lazy / busy [pick
> whatever you think] than me confirm for sure?  Be nice to know.

I just skimmed through the text in the link the OP provided. Here's an
excerpt:

[snip]
    Like “real” programming languages, Bash has functions, though in a
    somewhat limited implementation, and it is possible to put these
    bash functions into environment variables. This flaw is triggered
    when extra code is added to the end of these function definitions
    (inside the enivronment variable).
[snap]

So, yeah. Looks like it. :)


Regards, Frank

next prev parent reply	other threads:[~2014-09-24 15:15 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-09-24 14:45 İsmail Dönmez
2014-09-24 14:54 ` Frank Terbeck
2014-09-24 14:55   ` İsmail Dönmez
2014-09-24 15:01   ` Peter Stephenson
2014-09-24 15:08     ` Frank Terbeck [this message]
2014-09-24 15:13     ` Jérémie Roquet
2014-09-24 14:55 ` Jérémie Roquet
2014-09-24 14:59 ` Chet Ramey
2014-09-25 13:11 ` Peter Stephenson
2014-09-26 14:03   ` Oliver Kiddle
2014-09-26 20:08     ` Peter Stephenson
2014-09-29 10:04       ` PATCH: safe numeric import Peter Stephenson
2014-09-29 15:24         ` Bart Schaefer
2014-10-01 14:57         ` [Bulk] " Oliver Kiddle
2014-10-02 16:06         ` Peter Stephenson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87bnq5vyx0.fsf@ft.bewatermyfriend.org \
    --to=ft@bewatermyfriend.org \
    --cc=p.stephenson@samsung.com \
    --cc=zsh-workers@zsh.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.vuxu.org/mirror/zsh/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).