Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: zsh 5.0.7

X-seq: zsh-workers 33336
From: Phil Pennock <zsh-workers+phil.pennock@xxxxxxxxxxxx>
To: Peter Stephenson <p.stephenson@xxxxxxxxxxx>
Subject: Re: zsh 5.0.7
Date: Thu, 2 Oct 2014 17:43:42 +0000
Cc: Zsh Hackers' List <zsh-workers@xxxxxxx>
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=spodhuis.org; s=d201408; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To:From:Date; bh=PeS1wmqNY7VZVs9hYMi9GL9nHkKNditn9ABLnfCxDNA=; b=SxdXD7x1Y+QdkTG1s1FiDGCN9Oy2cHnITgbwphHwat/hN4BSYeZnKcKsWu5XaiyarfCFE+9ST2FqyW6nOPSLDi+KrCBIjerIm8vLLLyZVT8cJ1AmpJwL/W/oXvCXMuo9oLNPUHpGfGYhhT6lFYPGu3xAfo1sMxM3f4n6m0OJZMKqzpiZ6GgIGLMz0/BXjtjjARXwJFnnmYBciz4k;
In-reply-to: <20141002172554.1eff5ce9@pwslap01u.europe.root.pri>
List-help: <mailto:zsh-workers-help@zsh.org>
List-id: Zsh Workers List <zsh-workers.zsh.org>
List-post: <mailto:zsh-workers@zsh.org>
Mail-followup-to: Peter Stephenson <p.stephenson@xxxxxxxxxxx>, Zsh Hackers' List <zsh-workers@xxxxxxx>
Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
Openpgp: url=https://www.security.spodhuis.org/PGP/keys/0x4D1E900E14C1CC04.asc
References: <20141001203847.2a7c000d@pws-pc.ntlworld.com> <20141002165807.0dc13b68@pwslap01u.europe.root.pri> <141002091656.ZM12380@torch.brasslantern.com> <20141002172554.1eff5ce9@pwslap01u.europe.root.pri>

On 2014-10-02 at 17:25 +0100, Peter Stephenson wrote:
> On Thu, 02 Oct 2014 09:16:56 -0700
> Bart Schaefer <schaefer@xxxxxxxxxxxxxxxx> wrote:
> > On Oct 2,  4:58pm, Peter Stephenson wrote:
> > }
> > } Source distribution documentation.  Does this sound right?
> > 
> > I'd leave out the word "major" -- we don't know of any exploits, do we?
> 
> Nothing that would screw you up any more than getting anything else from
> the environment that you didn't sanitise, I don't think.  So it can
> leave you more open than to the effects of incautious programming.  Not
> sure if that counts.

The oss-security mailing-list folk seem to have settled on:

 * Arbitrary untrusted input in environ is okay and expected, as long as
   the attacker can't control the name of the variable;
 * If the attacker can control the name, then it's the responsibility of
   the software at the trust boundary (network server; setuid program)
   to filter (to protect against `LD_PRELOAD` and friends) to a
   whitelist or sane naming pattern (`HTTP_*`);
 * Bad actions taken on variables with arbitrary names is a software bug
   in whatever is interpreting the environ, whether a shell or anything
   else;
 * Bad actions on specific variables (`LD_*`) is expected and is why the
   trust boundary has responsibilities.

On this basis, the zsh behaviour for three specific variables is
unexpected and unfortunate, but not a CVE-worthy security bug.  But if
folk want to play safe to help vendors track disabling this unfortunate
behaviour, we could always ask for a CVE anyway, even though it
shouldn't be exploitable in any situation in which you're not already
thoroughly screwed.

-Phil

References:
- zsh 5.0.7
  - From: Peter Stephenson
- Re: zsh 5.0.7
  - From: Peter Stephenson
- Re: zsh 5.0.7
  - From: Bart Schaefer
- Re: zsh 5.0.7
  - From: Peter Stephenson

Messages sorted by: Reverse Date, Date, Thread, Author