From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zsh-workers-return-44313-ml=inbox.vuxu.org@zsh.org>
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE
	autolearn=ham autolearn_force=no version=3.4.2
Received: from primenet.com.au (ns1.primenet.com.au [203.24.36.2])
	by inbox.vuxu.org (OpenSMTPD) with ESMTP id af5ead55
	for <ml@inbox.vuxu.org>;
	Fri, 17 May 2019 13:42:18 +0000 (UTC)
Received: (qmail 16132 invoked by alias); 17 May 2019 13:42:02 -0000
Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm
Precedence: bulk
X-No-Archive: yes
List-Id: Zsh Workers List <zsh-workers.zsh.org>
List-Post: <mailto:zsh-workers@zsh.org>
List-Help: <mailto:zsh-workers-help@zsh.org>
List-Unsubscribe: <mailto:zsh-workers-unsubscribe@zsh.org>
X-Seq: 44313
Received: (qmail 29868 invoked by uid 1010); 17 May 2019 13:42:02 -0000
X-Qmail-Scanner-Diagnostics: from mail-io1-f46.google.com by f.primenet.com.au (envelope-from <mikachu@gmail.com>, uid 7791) with qmail-scanner-2.11 
 (clamdscan: 0.101.2/25447. spamassassin: 3.4.2.  
 Clear:RC:0(209.85.166.46):SA:0(-2.0/5.0):. 
 Processed in 1.488558 secs); 17 May 2019 13:42:02 -0000
X-Envelope-From: mikachu@gmail.com
X-Qmail-Scanner-Mime-Attachments: |
X-Qmail-Scanner-Zip-Files: |
Received-SPF: pass (ns1.primenet.com.au: SPF record at _netblocks.google.com designates 209.85.166.46 as permitted sender)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=4iLG5cZpAAfxA9vkln4nUprdqiVvEa531QRYPUJBMLo=;
        b=VAzNCAHCcsg2Yjvc6x/hIm7VZKJPFLibLrMKEvGCKiYvdBQl67Lxl2FwBBK4icsAMV
         gR7TgaiXD6CrE3ujh9L4f97siuDKEk1tmT3IL9E2S6aWQC6eUsGR6j78m7rfPxmSg+vK
         QiOXmhR2pz5lLnXZ9znjJmmmQ43SNzkk7Hjse+iqFk6F3lO7sL5o6MNKzUh5jmuq5/bx
         0nA2Qex5ON45E0yOjdpFr1eK8EX7GlIxyGLPQYfvCN/8g+IJlBpompNEQ4iYia1Ya9Rg
         cgmHHzm8lBVtgr4LQSU/CXVxRu6ig0joOIPwL1XRg200idFyiuGufISg9scbyI/W/t/F
         vu5w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=4iLG5cZpAAfxA9vkln4nUprdqiVvEa531QRYPUJBMLo=;
        b=JfzZLeLKUp8dxNM/thrqeRp2MxS9uxJvv5JRW9IAM4N0xYFlu+B5QfPuvTs5KzRrxM
         Gd9CgHuMp0T3aW83GiLQfTVBjUvbi1nsfcNJwFs9IKOdMqotxV8zkIA/0xtiZZdybdFk
         jL/ulsCJztOLZuC8cOWLDBmf9QqTAjAgrzETvhbi4+CE921XDJov5Ji1fKx1Bo1elocs
         fGSNQKJTJDE4RaXj2w7AfvqtBJPQEvG0icM6jIm27u4dh0wpbYkZkr0fgiXh65T3m7x8
         66SRXScwPuI3dzWJ5K6U2cZymySwNPCNxZaqe6lwRYcRIbdmFWqT67+U62+3kipE8eCA
         1C/w==
X-Gm-Message-State: APjAAAUl7D0VHDmd3I8mCfgr7NXuqvxRdd1+gzsonoIh4cVHoKgvjFMp
	109FVabPDXAvMMRrIoEDRuYwngucp99hUb1SCLM=
X-Google-Smtp-Source: APXvYqyuYOpooj+Z+WiFuXdaEFaVjY9bK+aEnr69qSp3GyEy+vAzp+DpS2t30Q4P0O/Xh2yw7OdUOidb0iFZUmdIYmo=
X-Received: by 2002:a5d:9650:: with SMTP id d16mr2053379ios.219.1558100486375;
 Fri, 17 May 2019 06:41:26 -0700 (PDT)
MIME-Version: 1.0
In-Reply-To: <889eb5518ad0f98899ba24c2f3e95a87f7cc3df6.camel@ntlworld.com>
References: <CAAOKOsfSAR5aRBvEcyQKRzDCvOgRJdyRvVb9AXMq6d22RaUozQ@mail.gmail.com>
 <CAH+w=7Y8d0h43rM_dHhbiT8nvL3-zxF8DUWTjn--hPX8sF7iaA@mail.gmail.com>
 <21436-1557865831.121649@2P7I.HAU9.QsaG> <889eb5518ad0f98899ba24c2f3e95a87f7cc3df6.camel@ntlworld.com>
From: Mikael Magnusson <mikachu@gmail.com>
Date: Fri, 17 May 2019 15:41:25 +0200
Message-ID: <CAHYJk3RSLsKXXWJW8zLvd2w7nFJxtXHNy26UJcYpgBY2NE_ZRA@mail.gmail.com>
Subject: Re: Zsh - Multiple DoS Vulnerabilities
To: Peter Stephenson <p.w.stephenson@ntlworld.com>
Cc: zsh-workers@zsh.org
Content-Type: text/plain; charset="UTF-8"

On 5/16/19, Peter Stephenson <p.w.stephenson@ntlworld.com> wrote:
> On Tue, 2019-05-14 at 22:30 +0200, Oliver Kiddle wrote:
>> I'm finding this one will crash on Linux but hang on FreeBSD. And not
>> crash with true as the condition. A variety of things can be used in the
>> condition. while .. do .. done can be used in place of if .. then .. fi,
>> && or ||. The me > you part can be cut down to :. Try the following:
>>
>>   if [[ m -eq y ]]; then
>>     : && !
>>     :
>>   fi
>>
>> Where I had a crash, it was interpreting the wordcode in ecgetstr().
>> Where it does r = s->strs + (c >> 2), c had an infeasibly large value
>> causing it to index well beyond the range of s->strs. I'd be inclined to
>> suspect the problem comes earlier when parsing this into wordcode.
>
> I'm starting to wonder if this is an allocation rather than a parsing
> problem --- the parsing is OK but something goes wrong with the final
> pointer / afterwards / in building or copying the word code, so
> that gettext2() or the exec code ends up trying to interpret garbage at
> the end.

FWIW I ran this under valgrind, and the first invalid read is the one
that causes the segfault, so no help there.

-- 
Mikael Magnusson