Re: Does the bash bug have a zsh counterpart?

[TJ Luoma <luomat@xxxxxxxxx>]

I realize this is pretty nearly off-topic but considering the
seriousness of this bug I’ll mention it anyway:

If you use OS X there are instructions on building your own version
from (patched) source here

http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-the-remote-exploit-cve-2014-6271-and-cve-2014-7/146851#146851

I have used that to make a (zsh!) shell script here:

https://github.com/tjluoma/bash-fix

But do note that there is another bash vulnerability (mentioned on the
StackExchange site) which has yet to be patched. I’ll be updating my
GitHub script as new patches become available until Apple releases an
official fix.

TjL






On Thu, Sep 25, 2014 at 12:53 PM, William G. Scott <wgscott@xxxxxxxx> wrote:
>
> On Sep 25, 2014, at 9:41 AM, Peter Stephenson <p.stephenson@xxxxxxxxxxx> wrote:
>
>> On Thu, 25 Sep 2014 09:35:01 -0700
>> "William G. Scott" <wgscott@xxxxxxxx> wrote:
>>> Does any version of zsh have the same issue as bash, reported eg at
>>>
>>> <http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/>
>>
>> No, search the zsh-workers archive at www.zsh.org for the last day or
>> so.
>>
>>> I was thinking of temporarily replacing sh and bash on OS X with zsh
>>> until a security fix is offered.
>>
>> If so, make sure you alias it to sh or otherwise cause it to come up in
>> POSIX mode.
>>
>> Dash might be a better bet as it's more widely used for such things.
>>
>> pws
>
> Thanks.  I decided to try living life on the edge, backed up the old versions of sh and bash, and made hard links to the system zsh.  (About 10 years ago I found a hard link to a then nonexistent ksh behaved properly whereas a symbolic link for whatever reason didn’t).  I’ve done this on 10.10b and 10.9 and rebooted and things appear to be working without issue.  So far. (At the very least, it might be entertaining to see where this might go wrong.)