Zsh Mailing List Archive
Messages sorted by: Reverse Date, Date, Thread, Author

Re: zsh seems to be vulnerable to CVE-2014-6271: remote code execution through bash



On 9/24/14, 10:45 AM, İsmail Dönmez wrote:
> According to the vulnerability test in
> https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
> 
> [~]> echo $ZSH_VERSION
> 5.0.6
> 
> [~]> env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
> vulnerable
> this is a test
> 
> Looks like zsh is vulnerable too.

This doesn't mean zsh is vulnerable; only that it can be used to run `env'
to craft the environment variable.

Chet
-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
		 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU    chet@xxxxxxxx    http://cnswww.cns.cwru.edu/~chet/



Messages sorted by: Reverse Date, Date, Thread, Author