Re: zsh seems to be vulnerable to CVE-2014-6271: remote code execution through bash

[Peter Stephenson <p.w.stephenson@xxxxxxxxxxxx>]

On Fri, 26 Sep 2014 16:03:14 +0200
Oliver Kiddle <okiddle@xxxxxxxxxxx> wrote:
> For specials of numeric type we appear to be doing math evaluation on
> their values.
>   OPTIND='3+4' zsh -c 'echo $OPTIND'
> And if you think you can't do anything with math evaluation:
>   x='`date >&2`' OPTIND='pipestatus[1${(e)x}]' zsh -c ':'
> 
> Other shells don't even import OPTIND.

This affects OPTIND, TRY_BLOCK_ERROR and SHLVL.  It makes no sense
to import the first two at all; they reflect internal status and having
them initialised to something from outside seems wrong.

SHLVL does need to be imported, but doesn't need to be evaluated on
import --- if it's not a straight integer at this point something is
screwy.  So this could be checked.

> Would it perhaps make sense to
> revert the sense of PM_DONTIMPORT and have a PM_IMPORT flag so any new
> special is not imported unless whoever implements it actually gives it
> some thought.

Yes, probably.

pws