From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from primenet.com.au (ns1.primenet.com.au [203.24.36.2]) by inbox.vuxu.org (OpenSMTPD) with ESMTP id ec6043d1 for ; Mon, 13 May 2019 22:03:45 +0000 (UTC) Received: (qmail 17412 invoked by alias); 13 May 2019 22:03:35 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: List-Unsubscribe: X-Seq: 44292 Received: (qmail 10084 invoked by uid 1010); 13 May 2019 22:03:35 -0000 X-Qmail-Scanner-Diagnostics: from mail-lj1-f173.google.com by f.primenet.com.au (envelope-from , uid 7791) with qmail-scanner-2.11 (clamdscan: 0.101.2/25447. spamassassin: 3.4.2. Clear:RC:0(209.85.208.173):SA:0(-1.9/5.0):. Processed in 1.570836 secs); 13 May 2019 22:03:35 -0000 X-Envelope-From: schaefer@brasslantern.com X-Qmail-Scanner-Mime-Attachments: | X-Qmail-Scanner-Zip-Files: | Received-SPF: pass (ns1.primenet.com.au: SPF record at _netblocks.google.com designates 209.85.208.173 as permitted sender) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=brasslantern-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=ErCXb0cDJp31tv/DogmdjHntrXYGWBTj96iDWvmYTE8=; b=yWmGmR6bkDxM84fTxjhcJY68CdR4qX6MRaVSPsp2k2NCzHgLVUUlUXgQ9oJAaMKD4o /ripHzlgYpE+jXUIYFVDcld0R6mhpzdzeoNUVmcRzCAwWY8oATSmClWN4DZh9e6xycX7 3wSc0KGCoK9r0XyAiXO86Coj10ikq05qFW7Oa3yDP2ygi0ZJZAzOvaUWaz0e5is3Lykb 1afDxA94XeSdF64q35HRBARfrlwmSTzB26UbjIAOtAzCUCNJ82C5FQnsY9Sl9s4XyQwb +MudnD+sJBCdAtuMJSDQH+rN0ny+K5F2UjNhSTXfjlj+yzCCFnffEo7/hK0enRsva77U wI2g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=ErCXb0cDJp31tv/DogmdjHntrXYGWBTj96iDWvmYTE8=; b=PeZjQ5qXz/bTOek/p3QB4p1jciAtxpN/5SyK0Vv6+M0HAXcRNSy5cXUljD33keAtwa cEbA1ZJIAT/Yfoiy7x5befvB+gyuwecetB76GoNUCVizryfv3b+lZVJEGUsA0H63fWmZ mbnU3VgUrCTPCPXTFgZ25rUtRXTr0DZ9bi+yDXdmWYD9ICiz0q3uiqvO+IvKapvM6+1H zYGlgGYU1iPqhLrlyswnjTbW3oyyJc2et2KOmZAC4oggeeVlm9+mQ6RaRW+Y+nH4VBvH rRdCcxygDFpZTANt5Bz/0bcEzuoNZQGUoxBam18tjd0HLWB5V8wVMCeyvaLBcK7XbcwK eOZQ== X-Gm-Message-State: APjAAAU63R7CZ3SO6D4TWPKqIFMvUp4jJgmY6jrWSog4XPy08YeVMZNF kNY8+kDO6B1CBw1Xg7ngoDnCIRUtplRv5gEOShblZA== X-Google-Smtp-Source: APXvYqyJiXFSx6pchWbi1EvO8AkrA6M8aELdSqJdNwDfRvAYjEZ0eonP/nyg/4Tr/ms/vjsiKxo4uCdrGQY/y5+fqUQ= X-Received: by 2002:a2e:8555:: with SMTP id u21mr7751713ljj.133.1557784977945; Mon, 13 May 2019 15:02:57 -0700 (PDT) MIME-Version: 1.0 References: <20190512162149.3fsqupqftmwxrbvd@chaz.gmail.com> In-Reply-To: From: Bart Schaefer Date: Mon, 13 May 2019 15:02:46 -0700 Message-ID: Subject: Re: Zsh - Multiple DoS Vulnerabilities To: David Wells Cc: "zsh-workers@zsh.org" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, May 13, 2019 at 9:29 AM David Wells wrote: > > Thanks for taking a look at these bugs. As Stephanie mentioned, security = related risk may depend more on Zsh usage, and being that these crashes are= Invalid Memory Access issues, they might allow an attacker to disclose par= ts of memory to help with a pre-exploitation process. It looks like there i= s patch activity on this thread, would you be able to provide me update on = expected patch date and issues you are patching? Thank you. It's Stephane, not Stephanie. :-) Zsh support is entirely by volunteers, there's no one with time dedicated to this. It looks like Oliver may be tackling a number of these, but there's no way for any of us to assert or predict a date when any particular bug will get worked on or when a release will be made. (Please note that you're already testing a pre-release version as it is.)