Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: zsh seems to be vulnerable to CVE-2014-6271: remote code execution through bash

X-seq: zsh-workers 33235
From: Jérémie Roquet <arkanosis@xxxxxxxxx>
To: Peter Stephenson <p.stephenson@xxxxxxxxxxx>
Subject: Re: zsh seems to be vulnerable to CVE-2014-6271: remote code execution through bash
Date: Wed, 24 Sep 2014 17:13:47 +0200
Cc: Frank Terbeck <ft@xxxxxxxxxxxxxxxxxxx>, "Zsh Hackers' List" <zsh-workers@xxxxxxx>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=vR+CqNWx//vQzHKdLFfRRQd1M3sKAZziFXZyE7OS4ws=; b=LpwagUQAZ1b0iHHTqgkOl9jGmDdjqhUB6O1zj3DxMYSXmgSMFDK8QEn/ouZIoeNEZI 2ORnzQkcxUgY1gcW5l8ek1yGS5pIplgbW8iR3c718sqGyDJZ/IgG8WdIMxEVrIRHtP/e i3xn87ivJ6MQ5ky8gLWrgZSCevaBmo7+S7O9hQYN1+mK3ISmaQiSidW0dB2q/R9f7EgV +JYL64TutG9v5FmN1EE7RGYxXCfH5P9PfXywmEwI3ggGeq5sGcGWGPGO1B+LYDHABiJr 7qwDCQvlopqHPXQWQUNiWvMaRPSboIdN2RzTAwdHBomvZt50V3bJeTbXelO2Xchlip0b 5h6Q==
In-reply-to: <20140924160119.313cbdcd@pwslap01u.europe.root.pri>
List-help: <mailto:zsh-workers-help@zsh.org>
List-id: Zsh Workers List <zsh-workers.zsh.org>
List-post: <mailto:zsh-workers@zsh.org>
Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
References: <CAJ1KOAjyBjbywavXwa+ejjQD1YjK8eCSGaESYhJxCb1e3KPjFg@mail.gmail.com> <87fvfhvzl9.fsf@ft.bewatermyfriend.org> <20140924160119.313cbdcd@pwslap01u.europe.root.pri>

2014-09-24 17:01 GMT+02:00 Peter Stephenson <p.stephenson@xxxxxxxxxxx>:
> On Wed, 24 Sep 2014 16:54:10 +0200
> Frank Terbeck <ft@xxxxxxxxxxxxxxxxxxx> wrote:
>> Bash has this weird feature, where you can "export functions". I suspect
>> that's what's happening here. Zsh doesn't have this feature. Thankfully.
>
> I was going to suggest the same.  Can anyone less lazy / busy [pick
> whatever you think] than me confirm for sure?  Be nice to know.

Looks like you're right:

https://lists.gnu.org/archive/html/bug-bash/2014-09/msg00087.html

-- 
Jérémie

References:
- zsh seems to be vulnerable to CVE-2014-6271: remote code execution through bash
  - From: İsmail Dönmez
- Re: zsh seems to be vulnerable to CVE-2014-6271: remote code execution through bash
  - From: Frank Terbeck
- Re: zsh seems to be vulnerable to CVE-2014-6271: remote code execution through bash
  - From: Peter Stephenson

Messages sorted by: Reverse Date, Date, Thread, Author