Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: zsh seems to be vulnerable to CVE-2014-6271: remote code execution through bash

X-seq: zsh-workers 33243
From: Peter Stephenson <p.stephenson@xxxxxxxxxxx>
To: Zsh Hackers' List <zsh-workers@xxxxxxx>
Subject: Re: zsh seems to be vulnerable to CVE-2014-6271: remote code execution through bash
Date: Thu, 25 Sep 2014 14:11:33 +0100
In-reply-to: <CAJ1KOAjyBjbywavXwa+ejjQD1YjK8eCSGaESYhJxCb1e3KPjFg@mail.gmail.com>
List-help: <mailto:zsh-workers-help@zsh.org>
List-id: Zsh Workers List <zsh-workers.zsh.org>
List-post: <mailto:zsh-workers@zsh.org>
Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
Organization: Samsung Cambridge Solution Centre
References: <CAJ1KOAjyBjbywavXwa+ejjQD1YjK8eCSGaESYhJxCb1e3KPjFg@mail.gmail.com>

If you want to follow up, here's a news story describing the problem and
implications:

http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/

There's nothing in zsh that corresponds to this particular problem; I
can't think of an easy way to get the environment to leak into code in
zsh without the code doing it deliberately but feel free to have a
think --- some of the special variable handling is quite complicated.

pws

Follow-Ups:
- Re: zsh seems to be vulnerable to CVE-2014-6271: remote code execution through bash
  - From: Oliver Kiddle

References:
- zsh seems to be vulnerable to CVE-2014-6271: remote code execution through bash
  - From: İsmail Dönmez

Messages sorted by: Reverse Date, Date, Thread, Author