From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from primenet.com.au (ns1.primenet.com.au [203.24.36.2]) by inbox.vuxu.org (OpenSMTPD) with ESMTP id 7c4a5c73 for ; Tue, 14 May 2019 22:26:38 +0000 (UTC) Received: (qmail 18395 invoked by alias); 14 May 2019 22:26:26 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: List-Unsubscribe: X-Seq: 44303 Received: (qmail 22215 invoked by uid 1010); 14 May 2019 22:26:26 -0000 X-Qmail-Scanner-Diagnostics: from mail-lj1-f173.google.com by f.primenet.com.au (envelope-from , uid 7791) with qmail-scanner-2.11 (clamdscan: 0.101.2/25447. spamassassin: 3.4.2. Clear:RC:0(209.85.208.173):SA:0(-1.9/5.0):. Processed in 3.20583 secs); 14 May 2019 22:26:26 -0000 X-Envelope-From: schaefer@brasslantern.com X-Qmail-Scanner-Mime-Attachments: | X-Qmail-Scanner-Zip-Files: | Received-SPF: pass (ns1.primenet.com.au: SPF record at _netblocks.google.com designates 209.85.208.173 as permitted sender) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=brasslantern-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=sMyPn0/lXWDuXwGId2rm/+zla6aIGe1w+jBVZswkMHQ=; b=aUGb/8e4+loPJL+ZKxQFOI734fW/k+CWGZpjaNuwXbG0HWugiR+BIOrA7UY6Hg5om3 kj7q0vRzpawQqnIEppdxRIJOdpXyvBv2MHvFDB47dAdG87Y71blXgb6ciaj0Y61HGDoj PiN+o58arpcgLp/obLjvaPjDsXpjDhZHp9CafoyUtyc1jxfRN5CHozi9w/YhgaOzT5QY NQLYVeQw/Igk0YtKB6svjd3hQnH8D+Wezv6ekIZJKQJky8SJPD53japE3jlJrWlMDwoJ fhTs/KKgPPGp3jpmoijTnZYiUgmE+R+QmaUbO/519RebsziGqMJ3LA6sj296/Jaxxr8q l8JA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=sMyPn0/lXWDuXwGId2rm/+zla6aIGe1w+jBVZswkMHQ=; b=fUTyMTXDZ+pWG9WMZUM6rp8JJBXVay35dagwO2+43YgCrydLnq2E7zbdtD0nTVvC8M rQn90RLFrVQ/LBmzBHIuxHG3ytOQG0ZCBltGwd0tA007oN0tXXfKGV70R000qqlbKHwD RbQZmtlmz6v8mMJHCg6sLPQ2yvCLRdKvyGDrQmBnddvD3E2CdGKajZy6w1I8c5TwuthC HdFXYwmurkDsrd0XuwYFEaIms6smUL0fW+LYBdTH7XwMf9upR4M6Qg4lk98hHOb9WMff AzegGwKAhgdZoQMXLt+Up5dBLtLnStE9iNFqm6K/qS8WCDOFcnNKa83cD6m6Iom7bYLF Jj1w== X-Gm-Message-State: APjAAAXowXiHh1zSvLYFZLX90OFqdIxTLgP0P8QFlbMp1fgsWOLd16hI NX9EmuT4UgS3forHJUP54hpXkaXNbJKYRZhCi4jRUQ== X-Google-Smtp-Source: APXvYqzlA+pRwuEaa0AT97sHccsMrNu1hyNXzWY1/S7ME7kFdAREiKgSOdqN1iZi4LYXQ/27bY44OyWnSZU+01x9eSs= X-Received: by 2002:a2e:9ada:: with SMTP id p26mr17785225ljj.167.1557872748472; Tue, 14 May 2019 15:25:48 -0700 (PDT) MIME-Version: 1.0 References: <20190512162149.3fsqupqftmwxrbvd@chaz.gmail.com> <20190514181026.u4myftmekdtqkhme@chaz.gmail.com> <54c02a72-cbcf-4036-9a72-7df24c0041d2@www.fastmail.com> In-Reply-To: <54c02a72-cbcf-4036-9a72-7df24c0041d2@www.fastmail.com> From: Bart Schaefer Date: Tue, 14 May 2019 15:25:36 -0700 Message-ID: Subject: Re: Zsh - Multiple DoS Vulnerabilities To: Daniel Shahaf Cc: David Wells , "zsh-workers@zsh.org" Content-Type: text/plain; charset="UTF-8" On Tue, May 14, 2019 at 2:39 PM Daniel Shahaf wrote: > > I've been trying to come up with counterexamples. What if somebody > installed a /etc/zshenv that does, say, 'disable zmodload enable'? You can bypass /etc/zshenv by, for example, invoking zsh as "sh" and then running "emulate -R" and/or otherwise futzing with setopts. So either THAT is a security flaw, or your example isn't one either.