From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 18339 invoked by alias); 24 Sep 2014 14:54:43 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: X-Seq: 33229 Received: (qmail 17496 invoked from network); 24 Sep 2014 14:54:42 -0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on f.primenet.com.au X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE, SPF_HELO_PASS autolearn=ham version=3.3.2 From: Frank Terbeck To: =?utf-8?Q?=C4=B0smail_D=C3=B6nmez?= Cc: "Zsh Hackers' List" Subject: Re: zsh seems to be vulnerable to CVE-2014-6271: remote code execution through bash In-Reply-To: (=?utf-8?Q?=22=C4=B0smail_D=C3=B6nmez=22's?= message of "Wed, 24 Sep 2014 17:45:15 +0300") References: User-Agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3.93 (gnu/linux) Date: Wed, 24 Sep 2014 16:54:10 +0200 Message-ID: <87fvfhvzl9.fsf@ft.bewatermyfriend.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Df-Sender: NDMwNDQ0 =C4=B0smail D=C3=B6nmez wrote: > According to the vulnerability test in > https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environ= ment-variables-code-injection-attack/ > > [~]> echo $ZSH_VERSION > 5.0.6 > > [~]> env x=3D'() { :;}; echo vulnerable' bash -c "echo this is a test" > vulnerable > this is a test > > Looks like zsh is vulnerable too. Does it? [snip] zsh% x=3D'() { :; }; echo vuln' bash -c 'echo test' vuln test zsh% x=3D'() { :; }; echo vuln' zsh -c 'echo test' test [snap] Doesn't look like it to me. Bash has this weird feature, where you can "export functions". I suspect that's what's happening here. Zsh doesn't have this feature. Thankfully. Regards, Frank