From: Bart Schaefer <schaefer@brasslantern.com>
To: Johenan Li <liyuweiheng@outlook.com>
Cc: "zsh-workers@zsh.org" <zsh-workers@zsh.org>
Subject: Re: Discovery of 3 Bugs in Zsh
Date: Sat, 22 Apr 2023 13:55:35 -0700 [thread overview]
Message-ID: <CAH+w=7apHcR=3zOx5=V5sYczxZ3zqLUs582myR6Fvr0sMgWHuw@mail.gmail.com> (raw)
In-Reply-To: <SY4P282MB22172C2E89EB590BB4A6E6D4B8619@SY4P282MB2217.AUSP282.PROD.OUTLOOK.COM>
On Sat, Apr 22, 2023 at 10:46 AM Johenan Li <liyuweiheng@outlook.com> wrote:
>
> Machine and OS: Ubuntu 20.04.1 x86-64
> Compilation flags: "./configure --enable-zsh-debug CC=afl-cc CXX=afl-c++" with ASan and UBSan instrumentation.
Which zsh sources did you compile?
> The bugs can be replicated by running the following commands:
> 1.zsh < bug_4
> 2.zsh < bug_7
> 3.The memory leak can be triggered by running zsh and then immediately exiting.
Thanks for reporting, but:
- bug_4 looks like a shell command history and won't produce
equivalent results outside your local host. Furthermore, it contains
a "reboot" command, as well as a "sudo" and a couple "vim", so I would
not recommend anyone attempt sourcing it.
- bug_7 is not in the attached zip
- bug_17 is a binary file? Is it really intended to be directed to
the shell input?
- memory that leaks only at shell exit (doesn't grow or leak
repeatedly during shell execution) has not typically been considered a
bug.
> I would appreciate it if you could allocate appropriate CVE numbers for these issues and get back to me as soon as possible.
We do not typically allocate CVEs unless an identified security issue
has been found.
next prev parent reply other threads:[~2023-04-22 20:56 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-22 17:44 Johenan Li
2023-04-22 20:55 ` Bart Schaefer [this message]
2023-04-22 21:03 ` Bart Schaefer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAH+w=7apHcR=3zOx5=V5sYczxZ3zqLUs582myR6Fvr0sMgWHuw@mail.gmail.com' \
--to=schaefer@brasslantern.com \
--cc=liyuweiheng@outlook.com \
--cc=zsh-workers@zsh.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).