From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.0 required=5.0 tests=MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_NONE autolearn=ham autolearn_force=no version=3.4.4
Received: (qmail 2339 invoked from network); 19 May 2020 20:39:46 -0000
Received: from ns1.primenet.com.au (HELO primenet.com.au) (203.24.36.2)
  by inbox.vuxu.org with ESMTPUTF8; 19 May 2020 20:39:46 -0000
Received: (qmail 10220 invoked by alias); 19 May 2020 20:39:38 -0000
Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm
Precedence: bulk
X-No-Archive: yes
List-Id: Zsh Workers List <zsh-workers.zsh.org>
List-Post: <mailto:zsh-workers@zsh.org>
List-Help: <mailto:zsh-workers-help@zsh.org>
List-Unsubscribe: <mailto:zsh-workers-unsubscribe@zsh.org>
X-Seq: 45851
Received: (qmail 29276 invoked by uid 1010); 19 May 2020 20:39:38 -0000
X-Qmail-Scanner-Diagnostics: from know-smtprelay-omc-5.server.virginmedia.net by f.primenet.com.au (envelope-from <p.w.stephenson@ntlworld.com>, uid 7791) with qmail-scanner-2.11 
 (clamdscan: 0.102.3/25814. spamassassin: 3.4.4.  
 Clear:RC:0(80.0.253.69):SA:0(-2.0/5.0):. 
 Processed in 3.848174 secs); 19 May 2020 20:39:38 -0000
X-Envelope-From: p.w.stephenson@ntlworld.com
X-Qmail-Scanner-Mime-Attachments: |
X-Qmail-Scanner-Zip-Files: |
Received-SPF: pass (ns1.primenet.com.au: SPF record at _smtprelay.virginmedia.com designates 80.0.253.69 as permitted sender)
X-Originating-IP: [86.16.88.158]
X-Authenticated-User: p.w.stephenson@ntlworld.com
X-Spam: 0
X-Authority: v=2.3 cv=XYunMrx5 c=1 sm=1 tr=0 a=MiHCjVqLJ44lE3bxSlffFQ==:117
 a=MiHCjVqLJ44lE3bxSlffFQ==:17 a=IkcTkHD0fZMA:10 a=D8pp9x_CpWtc_VZZbfkA:9
 a=QEXdDO2ut3YA:10
Message-ID: <c921824332bf2ca7bc6cff15bc7ffa0042b22677.camel@ntlworld.com>
Subject: Re: [BUG] Two vulnerabilities in zsh
From: Peter Stephenson <p.w.stephenson@ntlworld.com>
To: "zsh-workers@zsh.org" <zsh-workers@zsh.org>
Date: Tue, 19 May 2020 21:38:55 +0100
In-Reply-To: <20200519170418.5bc00b2f@tarpaulin.shahaf.local2>
References: 
	<wUyJbXo1lRhl4AYZR5ZuGgFNdYiAV1WPC7o0DRLgCliFUJuAePd3VZ2mcVzBKNW1nvmFCZMU6nd2jJ2gN2e02ioHUgzfAOjPzVUHXufMEIo=@protonmail.com>
	 <20200519170418.5bc00b2f@tarpaulin.shahaf.local2>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.28.5-0ubuntu0.18.04.2 
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-CMAE-Envelope: MS4wfHGyjKpmzPZPLTMWBi7M6FjKpIx7HHWMlCrjqGwGSBJCIYPudnFnICVe8aOjLWsCPdHrHBOWN4WhbLsOmI9CZLBdV7bMLow+jCU6oHUFxoM8G7U8y++k
 pdDhMHyR6CzipAvOcj8Pk12vQ7MKKHcIz1V/rug2Iodjj3r5x6fO6LuS

On Tue, 2020-05-19 at 17:04 +0000, Daniel Shahaf wrote:
> > 1. Execute the following PoC command:
> > 
> >   echo $'******** **********************$\\\n(>$' | zsh
> 
> This instruction is underspecified because it does not identify «echo»
> implementation being used and the shell being used (which affects how
> the «$'…'» would be parsed).  That aside, I can reproduce this:
> 
> $ printf '******** **********************$\\\n(>$' | zsh -f 
>  BUG: parse error in command substitution
> Segmentation fault
> $ 

The BUG message simplifies to this:

(127)9:32% zsh -fc '$\
('
1: BUG: parse error in command substitution
zsh:1: no such file or directory: pws/.

The other output shows it's doing something it shouldn't even if there
isn't a crash as a result.  Adding a command in front does produce a
crash.

I think the backslashed newline is valid, and it looks like it's usually
correctly handled; apparently its presence is disguising the bad input
in this case.

pws