Zsh Mailing List Archive
Messages sorted by:
Reverse Date,
Date,
Thread,
Author
Re: zsh 5.0.7 released
- X-seq: zsh-workers 33407
- From: Peter Stephenson <p.w.stephenson@xxxxxxxxxxxx>
- To: shawn wilson <ag4ve.us@xxxxxxxxx>, Zsh Hackers' List <zsh-workers@xxxxxxx>
- Subject: Re: zsh 5.0.7 released
- Date: Thu, 9 Oct 2014 21:48:06 +0100
- In-reply-to: <CAH_OBieFY24--_Ka637pM0g-iKEKLrnz4zXLcWKj9_mx+DKn=w@mail.gmail.com>
- List-help: <mailto:zsh-workers-help@zsh.org>
- List-id: Zsh Workers List <zsh-workers.zsh.org>
- List-post: <mailto:zsh-workers@zsh.org>
- Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
- References: <20141008193835.5d66c0ad@pws-pc.ntlworld.com> <CAH_OBieFY24--_Ka637pM0g-iKEKLrnz4zXLcWKj9_mx+DKn=w@mail.gmail.com>
Oct 2014 09:55:50 -0400
shawn wilson <ag4ve.us@xxxxxxxxx> wrote:
> On Oct 8, 2014 9:56 PM, "Peter Stephenson" <p.w.stephenson@xxxxxxxxxxxx>
> wrote:
> >
> > Version 5.0.7 of zsh is released. You can get it from
> > http://www.zsh.org/pub and mirrors (see below). This is a stable
> > release. There are minor new features as well as bug fixes since 5.0.6.
> >
> > Note in particular there is a security fix to disallow evaluation of the
> > initial values of integer variables imported from the environment (they
> > are instead treated as literal numbers). That could allow local
> > privilege escalation, under some specific and atypical conditions where
> > zsh is being invoked in privilege elevation contexts when the
> > environment has not been properly sanitized, such as when zsh is invoked
> > by sudo on systems where "env_reset" has been disabled.
> >
>
> Was this security issue in SSH discussed on the list somewhere (I can't
> seem to find other mention of it outside the readme - not even direct
> mention in changelog or git log)...?
I don't know of an ssh issue, but the sudo issue was discussed offline.
The original point about sanitising integer imports, however, was discussed
here.
pws
Messages sorted by:
Reverse Date,
Date,
Thread,
Author