From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from primenet.com.au (ns1.primenet.com.au [203.24.36.2]) by inbox.vuxu.org (OpenSMTPD) with ESMTP id 91d0da26 for ; Fri, 10 May 2019 15:04:28 +0000 (UTC) Received: (qmail 948 invoked by alias); 10 May 2019 15:04:09 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: List-Unsubscribe: X-Seq: 44281 Received: (qmail 18672 invoked by uid 1010); 10 May 2019 15:04:09 -0000 X-Qmail-Scanner-Diagnostics: from us-smtp-delivery-195.mimecast.com by f.primenet.com.au (envelope-from , uid 7791) with qmail-scanner-2.11 (clamdscan: 0.101.2/25440. spamassassin: 3.4.2. Clear:RC:0(63.128.21.195):SA:0(-2.7/5.0):. Processed in 2.359896 secs); 10 May 2019 15:04:09 -0000 X-Envelope-From: dwells@tenable.com X-Qmail-Scanner-Mime-Attachments: | X-Qmail-Scanner-Zip-Files: | Received-SPF: pass (ns1.primenet.com.au: SPF record at us._netblocks.mimecast.com designates 63.128.21.195 as permitted sender) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tenable.com; s=mimecast20170201; t=1557500610; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding:in-reply-to: references:openpgp:autocrypt; bh=/zhcbtqyyMIHcEXK7pLQUpQKYLs4KD8YAnL0yYshoHE=; b=VYQ+1OcA8M/XZmLnxdW+gWT/82lso5+OmD25oG7mhuBDiFNwflVrQTNDbIqM8egmmpld2U eoCFaJdU/9tWGrZydxCkzhCVdaJ6dJ/hO7xsjJmeoulcqH0YH9OkVErfBNVdXK7STuDzKz mT+CHoCnKfZKGS7naVx9kGU9wSfo4II= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=5kWYId0y+eQsAUGSiGUMdOGd957HN3yxi56qPkov9gs=; b=VvFF1X4LPjFTwi4QnAfBK65ZcTZ5bbjfCjgsJ1P5aA6fkRCBRhDRyvdKzxWir7TSYW hEJeeSuyvN6rHb959Gld8YUUX9ahhru5szQjDQUl0eImRe5HFO6NX/EuWmvCoS3pQGfO nmB2OACT4ubQu34zIiavyB/sEMGaccowD0PVwksmzGTqMRA/gUj3Yr7bv0cYviiJZIWB JSem9kZWqsW3p+RloHyZKOXKWcdXwFv9hQPgMx5qFjDgQqOUHjwEJF9H7+FPuJsJ4PtE 4WvgkjJhSaeiOVa+iaR6Cz1WDTarG4i7GtQa9LPt/Wqqz2Fw2hEVhMBPRLZCeL2uGBRX OMHw== X-Gm-Message-State: APjAAAVBy61ARHboTfN/LMz0wuIdBMEJ4X4/TCgL1psvfM+DxRcDX9D5 ww+wfjpYGLLIN/BfxDQRrmtC/6fF2OoqLkrw6ZGwPQoK7kvmHGxEVdM+G+TaiDcqQDjjBHXsE+E j4HI2OZJ7iWj2Skpoqlf7Mtz9Taok X-Received: by 2002:a17:902:e30b:: with SMTP id cg11mr13435093plb.3.1557500607224; Fri, 10 May 2019 08:03:27 -0700 (PDT) X-Google-Smtp-Source: APXvYqxn4sgU+yUKsWsMxi9a9EFbVfQuKvUWQvAH59g9hnrJdZJHu1reyorMSXMSIgwOyV8lhcEEoF11nUjQBkaT+MM= X-Received: by 2002:a17:902:e30b:: with SMTP id cg11mr13435024plb.3.1557500606609; Fri, 10 May 2019 08:03:26 -0700 (PDT) MIME-Version: 1.0 From: David Wells Date: Fri, 10 May 2019 08:03:14 -0700 Message-ID: Subject: Zsh - Multiple DoS Vulnerabilities To: zsh-workers@zsh.org X-MC-Unique: hxmZj1FcPLu1d56WfIACHw-1 X-Mimecast-Spam-Score: 0 Content-Type: multipart/alternative; boundary="000000000000651db6058889de40" --000000000000651db6058889de40 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hello Zsh-Workers, Tenable has discovered multiple DoS vulnerabilities in Zsh. The root cause appears to be Invalid Memory Access issues that crash the Zsh runtime. We believe these have the following Cvss v2 vector: AV:L/AC:L/Au:S/C:N/I:N/A:C and verified this is present when installed on Arch Linux 5.0.7 x64. We've internally assigned this vulnerability TRA-221. Here is a link where you'll find a proof of concept (PoC) called *zsh_poc.tar.bz2: * https://tenable.box.com/s/mi7vlmqgq5zpqhadlr90u2hit2r1hjwe. The PoC contains the 7 different invalid memory access issues in their respective directory. Each directory will contain a gdb stack trace as well as the Zsh script which can trigger the bug. #1 Invalid read from *taddrstr *call in *text.c* POC folder: *01_taddstr_(text.c_148)* #2 Invalid read from *execcmd_analyse *in *exec.c* POC folder: *02_execcmd_analyse_(exec.c_3653)* #3 Invalid read from *dupstring *in *string.c* POC folder: *03_dupstring_(string.c_39)* #4 Invalid read from *bin_print *in *builtin.c* POC folder: *04_bin_print_(builtin.c_5009)* #5 Invalid read from *untokenize *in *exec.c* POC folder: *05_untokenize_(exec.c_1994)* #6 Invalid read from *getjob *in *jobs.c* POC folder: *06_getjob_(jobs.c_1935)* #7 Invalid read from *hasher *in *hashtable.c* POC folder: *07_hasher_(hashtable.c_85)* Tenable follows a 90-day vulnerability disclosure policy. That means, even though we prefer coordinated disclosure, we'll issue an advisory on *August 8, 2019 *with or without a patch. Alternatively, any uncoordinated patch publicly released before the 90-day deadline will be considered public disclosure, and Tenable may release an early advisory. You can read the full details of our policy here: https://static.tenable.com/research/tenable-vulnerability-disclosure-policy= .pdf Thank you for taking the time to read this. We'd greatly appreciate it if you'd acknowledge receipt of this report. If you have any questions we'd be happy to address them. Thanks again, David --000000000000651db6058889de40--