From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from primenet.com.au (ns1.primenet.com.au [203.24.36.2]) by inbox.vuxu.org (OpenSMTPD) with ESMTP id d4c9097b for ; Fri, 10 May 2019 16:38:19 +0000 (UTC) Received: (qmail 25775 invoked by alias); 10 May 2019 16:38:05 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: List-Unsubscribe: X-Seq: 44282 Received: (qmail 29085 invoked by uid 1010); 10 May 2019 16:38:05 -0000 X-Qmail-Scanner-Diagnostics: from mail-lj1-f178.google.com by f.primenet.com.au (envelope-from , uid 7791) with qmail-scanner-2.11 (clamdscan: 0.101.2/25440. spamassassin: 3.4.2. Clear:RC:0(209.85.208.178):SA:0(-1.9/5.0):. Processed in 2.283219 secs); 10 May 2019 16:38:05 -0000 X-Envelope-From: schaefer@brasslantern.com X-Qmail-Scanner-Mime-Attachments: | X-Qmail-Scanner-Zip-Files: | Received-SPF: pass (ns1.primenet.com.au: SPF record at _netblocks.google.com designates 209.85.208.178 as permitted sender) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=brasslantern-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=BhfJ+6rw12FLzVFe0pHrE7RLLHvZVrTtoXktFc+dRR8=; b=qctaylrt2jcrLjOu1YhPpR9oMshcHPbEkibdSBUM0rrcZdOGj0aubP7auoU6M6/MHl Bl/hTbVsP9XVXXKlFTzW1lUF7iJl6PLzJDbgZ7nTIYPCtVDCFcUxzzeTTW1cCsOp28H5 tdxMafKSExdlEVkPqHyw2Yn/ahLWQUJXC2DSzGSZXokWuOD1cPGri+stubn9/AnVbPRJ IARg4aXCxPlCjMil82Paow6sDtYFVEOmtwTk5+GN4cxVH8pJt4CzdJjmtvwQaFyNkj7t lcxJUqrmud91oLhAtF78ahsGF/ia8hslmEhjhhW2Wt3YLNBNK/30OsRMc4l8KUIuas/R 2UKg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=BhfJ+6rw12FLzVFe0pHrE7RLLHvZVrTtoXktFc+dRR8=; b=BxoqWHQdp9OaqTv8sGnw4Y8OpWzm6wlj6BHQZZjUBDUkxKjEUEnzXctsMffaFQIvce nv3uJVEQK8Bo3tRUs7ADJEwNhCH9shWXPQQ3DjugUWDBfGE0qJacXmjblAi1h88DbNBI d+oXbSVtQ0x4wIE7LXtOni8AqWcFZw251Dex4BUAI6MLiILUdhzymtt8uXW7vARM5dG2 J+XFELtU3f9EtPksE5f2eB+bmYhgswOU1kV3YO50/EsrufsxHvUwSk9XZ4TPnDjrfYjG t7rTygaI6QYITgynaHVyHRII538WCZ0mWPfRTcSxbMy376zg7ZLcIlwlGG9krKQwXIvs hutw== X-Gm-Message-State: APjAAAV9HALg0q0Lya1FU35EX4AyDpUBPNWdye1rWufuQ07vcUqZLc8X HZEQ4NiyvvQQp7bgQ259DwXj7GinV010y0h+up1sVA== X-Google-Smtp-Source: APXvYqwb1EIlf1je5gACtivCyNHOlCrW4kW6QCgMeWWhiV58ACYGzeKqQqJfrsZMV3ZcyLfPVsY8go4MRKZFKyp81Kc= X-Received: by 2002:a2e:80d4:: with SMTP id r20mr6430089ljg.173.1557506248040; Fri, 10 May 2019 09:37:28 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Bart Schaefer Date: Fri, 10 May 2019 09:37:15 -0700 Message-ID: Subject: Re: Zsh - Multiple DoS Vulnerabilities To: David Wells Cc: "zsh-workers@zsh.org" Content-Type: text/plain; charset="UTF-8" It would be helpful if you could explain how this would be exploited by someone who is not already able to cause the zsh user to execute some other arbitrary commands. What's the point of crashing somebody's shell if you can instead make it remove all their files or email you their private ssh keys or something?