Re: zsh seems to be vulnerable to CVE-2014-6271: remote code execution through bash

[İsmail Dönmez <ismail@xxxxxxxxx>]

On Wed, Sep 24, 2014 at 5:54 PM, Frank Terbeck <ft@xxxxxxxxxxxxxxxxxxx>
wrote:

> İsmail Dönmez wrote:
> > According to the vulnerability test in
> >
> https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
> >
> > [~]> echo $ZSH_VERSION
> > 5.0.6
> >
> > [~]> env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
> > vulnerable
> > this is a test
> >
> > Looks like zsh is vulnerable too.
>
> Does it?
>
> [snip]
> zsh% x='() { :; }; echo vuln' bash -c 'echo test'
> vuln
> test
> zsh% x='() { :; }; echo vuln' zsh -c 'echo test'
> test
> [snap]
>
> Doesn't look like it to me.
>
> Bash has this weird feature, where you can "export functions". I suspect
> that's what's happening here. Zsh doesn't have this feature. Thankfully
>

Brown paper bag for me not replacing bash with zsh ;) Thanks and sorry for
the noise :)