From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zsh-workers-return-33231-mason-zsh=primenet.com.au@zsh.org>
Received: (qmail 23744 invoked by alias); 24 Sep 2014 14:55:43 -0000
Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm
Precedence: bulk
X-No-Archive: yes
List-Id: Zsh Workers List <zsh-workers.zsh.org>
List-Post: <mailto:zsh-workers@zsh.org>
List-Help: <mailto:zsh-workers-help@zsh.org>
X-Seq: 33231
Received: (qmail 12681 invoked from network); 24 Sep 2014 14:55:42 -0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on f.primenet.com.au
X-Spam-Level: 
X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW autolearn=ham
	version=3.3.2
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc:content-type:content-transfer-encoding;
        bh=6+mjIRF6cLegJ+jL/EDeRykd8nQyH3aAbXvmYFy/oME=;
        b=Ek9DSp6e7CkyYK0ZUMuqK3TngTjfIJYCMwcuEL6M1SWZhkRsGynd7u23bccl80Nabj
         mMmkp4kIzsMHYqYfDTgkN0hSbn2wrB4Q2O2Wtk+0sg4GSa0jo8fVFAq3eLLS4fsTqFLZ
         ERdW2cftuILme11CdBuYgXOnbQJclRf/EQACQ56FnzdhX+pwMn/h5zW7IzgTr8eHashR
         7OPaJ/UMbAMudleMYqxCxmaoNrZACM6BR2n0egWNxD6O+EV0IvBFGnHD36IJQeGeMk3R
         +SB+gp7xcgBF4FyoOdxql+s/nYmE7zKvPK0ALwAJgL7u4AAr3/knfVkzUjCr0/UZeoge
         Cs/w==
X-Received: by 10.194.88.167 with SMTP id bh7mr4136089wjb.129.1411570538370;
 Wed, 24 Sep 2014 07:55:38 -0700 (PDT)
MIME-Version: 1.0
In-Reply-To: <CAJ1KOAjyBjbywavXwa+ejjQD1YjK8eCSGaESYhJxCb1e3KPjFg@mail.gmail.com>
References: <CAJ1KOAjyBjbywavXwa+ejjQD1YjK8eCSGaESYhJxCb1e3KPjFg@mail.gmail.com>
From: =?UTF-8?B?SsOpcsOpbWllIFJvcXVldA==?= <arkanosis@gmail.com>
Date: Wed, 24 Sep 2014 16:55:23 +0200
Message-ID: <CAFOazAPhRf01tYK3NEyha-OKNSq8d8eLGeHT1Tc8k4Tckj6knA@mail.gmail.com>
Subject: Re: zsh seems to be vulnerable to CVE-2014-6271: remote code
 execution through bash
To: =?UTF-8?B?xLBzbWFpbCBEw7ZubWV6?= <ismail@donmez.ws>
Cc: "Zsh Hackers' List" <zsh-workers@zsh.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hi,

2014-09-24 16:45 GMT+02:00 =C4=B0smail D=C3=B6nmez <ismail@donmez.ws>:
> According to the vulnerability test in
> https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environ=
ment-variables-code-injection-attack/
>
> [~]> echo $ZSH_VERSION
> 5.0.6
>
> [~]> env x=3D'() { :;}; echo vulnerable' bash -c "echo this is a test"
> vulnerable
> this is a test

If I understand well, this test only proves that your version of
*bash* is vulnerable

$ env x=3D'() { :;}; echo vulnerable' zsh -c "echo this is a test"
this is a test

Looks like zsh is not.

Best regards,

--=20
J=C3=A9r=C3=A9mie