Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Zsh - Multiple DoS Vulnerabilities

X-seq: zsh-workers 44281
From: David Wells <bughunters@xxxxxxxxxxx>
To: zsh-workers@xxxxxxx
Subject: Zsh - Multiple DoS Vulnerabilities
Date: Fri, 10 May 2019 08:03:14 -0700
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tenable.com; s=mimecast20170201; t=1557500610; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding:in-reply-to: references:openpgp:autocrypt; bh=/zhcbtqyyMIHcEXK7pLQUpQKYLs4KD8YAnL0yYshoHE=; b=VYQ+1OcA8M/XZmLnxdW+gWT/82lso5+OmD25oG7mhuBDiFNwflVrQTNDbIqM8egmmpld2U eoCFaJdU/9tWGrZydxCkzhCVdaJ6dJ/hO7xsjJmeoulcqH0YH9OkVErfBNVdXK7STuDzKz mT+CHoCnKfZKGS7naVx9kGU9wSfo4II=
List-help: <mailto:zsh-workers-help@zsh.org>
List-id: Zsh Workers List <zsh-workers.zsh.org>
List-post: <mailto:zsh-workers@zsh.org>
List-unsubscribe: <mailto:zsh-workers-unsubscribe@zsh.org>
Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm

Hello Zsh-Workers,

Tenable has discovered multiple DoS vulnerabilities in Zsh. The root cause
appears to be Invalid Memory Access issues that crash the Zsh runtime. We
believe these have the following Cvss v2 vector: AV:L/AC:L/Au:S/C:N/I:N/A:C
and verified this is present when installed on Arch Linux 5.0.7 x64. We've
internally assigned this vulnerability TRA-221.

Here is a link where you'll find a proof of concept (PoC) called
*zsh_poc.tar.bz2: *
https://tenable.box.com/s/mi7vlmqgq5zpqhadlr90u2hit2r1hjwe.
The PoC contains the 7 different invalid memory access issues in their
respective directory. Each directory will contain a gdb stack trace as well
as the Zsh script which can trigger the bug.

    #1 Invalid read from *taddrstr *call in *text.c*
    POC folder: *01_taddstr_(text.c_148)*

    #2 Invalid read from *execcmd_analyse *in *exec.c*
    POC folder: *02_execcmd_analyse_(exec.c_3653)*

    #3 Invalid read from *dupstring *in *string.c*
    POC folder:  *03_dupstring_(string.c_39)*

    #4 Invalid read from *bin_print *in *builtin.c*
    POC folder: *04_bin_print_(builtin.c_5009)*

    #5 Invalid read from *untokenize *in *exec.c*
    POC folder: *05_untokenize_(exec.c_1994)*

    #6 Invalid read from *getjob *in *jobs.c*
    POC folder: *06_getjob_(jobs.c_1935)*

    #7 Invalid read from *hasher *in *hashtable.c*
    POC folder: *07_hasher_(hashtable.c_85)*

Tenable follows a 90-day vulnerability disclosure policy. That means, even
though we prefer coordinated disclosure, we'll issue an advisory on *August
8, 2019 *with or without a patch. Alternatively, any uncoordinated patch
publicly released before the 90-day deadline will be considered public
disclosure, and Tenable may release an early advisory. You can read the
full details of our policy here:
https://static.tenable.com/research/tenable-vulnerability-disclosure-policy.pdf

Thank you for taking the time to read this. We'd greatly appreciate it if
you'd acknowledge receipt of this report. If you have any questions we'd be
happy to address them.

Thanks again,
David

Follow-Ups:
- Re: Zsh - Multiple DoS Vulnerabilities
  - From: Bart Schaefer
- Re: Zsh - Multiple DoS Vulnerabilities
  - From: Bart Schaefer

Messages sorted by: Reverse Date, Date, Thread, Author