Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: zsh 5.0.7 released

X-seq: zsh-workers 33412
From: shawn wilson <ag4ve.us@xxxxxxxxx>
To: Peter Stephenson <p.w.stephenson@xxxxxxxxxxxx>
Subject: Re: zsh 5.0.7 released
Date: Thu, 9 Oct 2014 18:41:39 -0400
Cc: "Zsh Hackers' List" <zsh-workers@xxxxxxx>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=q5WYrN9W5EmO1m/UimqijFMqqo6YSpuJgEMdkWFYbns=; b=KrrgEnwPMemlrlOkosTUqPrjRUs/xo2hvxWkzx5w0mYT5WUB19jN3YnMeqmABJqYMi Q2dI1rfaOEXeRK8uLfoIw/46Z8mCgLDbjskoSTVsTtGmxG9u75R1X0NZZOmlFe5NSjJd XyP7gspiafWdu3swQE3dag0vKQvy2EtmqZflTITfDUlGAzgXeRBCGtyoUZaw6OxdD8F4 qnEzIGPpMlSt3galiKm+ZI7r4+2d7b+CbyXdGAZgFmF2DtOPNR42vDpnRIgJnAXEp5CA qtSpIutp3hn6+Uq1uFv6lNl4c9+tO6imP7TpdQvvsOsZSaN85545l1vB4/+l4eEzfVg4 gVsQ==
In-reply-to: <20141009214806.201e9c0d@pws-pc.ntlworld.com>
List-help: <mailto:zsh-workers-help@zsh.org>
List-id: Zsh Workers List <zsh-workers.zsh.org>
List-post: <mailto:zsh-workers@zsh.org>
Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
References: <20141008193835.5d66c0ad@pws-pc.ntlworld.com> <CAH_OBieFY24--_Ka637pM0g-iKEKLrnz4zXLcWKj9_mx+DKn=w@mail.gmail.com> <20141009214806.201e9c0d@pws-pc.ntlworld.com>

Yay cellphone auto correct
On Oct 9, 2014 4:48 PM, "Peter Stephenson" <p.w.stephenson@xxxxxxxxxxxx>
wrote:
>
>  Oct 2014 09:55:50 -0400
> shawn wilson <ag4ve.us@xxxxxxxxx> wrote:
> > On Oct 8, 2014 9:56 PM, "Peter Stephenson" <p.w.stephenson@xxxxxxxxxxxx>
> > wrote:
> > >
> > > Version 5.0.7 of zsh is released.  You can get it from
> > > http://www.zsh.org/pub and mirrors (see below).  This is a stable
> > > release.  There are minor new features as well as bug fixes since
5.0.6.
> > >
> > > Note in particular there is a security fix to disallow evaluation of
the
> > > initial values of integer variables imported from the environment
(they
> > > are instead treated as literal numbers).  That could allow local
> > > privilege escalation, under some specific and atypical conditions
where
> > > zsh is being invoked in privilege elevation contexts when the
> > > environment has not been properly sanitized, such as when zsh is
invoked
> > > by sudo on systems where "env_reset" has been disabled.
> > >
> >
> > Was this security issue in SSH discussed on the list somewhere (I can't

s/SSH/bash/

> > seem to find other mention of it outside the readme - not even direct
> > mention in changelog or git log)...?
>

And I was referring to the zsh readme, changelog, git log.

> I don't know of an ssh issue,  but the sudo issue was discussed offline.
>
> The original point about sanitising integer imports, however, was
discussed
> here.

Huh, I'll look again.

Follow-Ups:
- Re: zsh 5.0.7 released
  - From: Bart Schaefer

References:
- Re: zsh 5.0.7 released
  - From: Peter Stephenson

Messages sorted by: Reverse Date, Date, Thread, Author