Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: Zsh - Multiple DoS Vulnerabilities

X-seq: zsh-workers 44299
From: Oliver Kiddle <okiddle@xxxxxxxxxxx>
To: Zsh workers <zsh-workers@xxxxxxx>
Subject: Re: Zsh - Multiple DoS Vulnerabilities
Date: Tue, 14 May 2019 22:30:31 +0200
Authentication-results: amavisd4.gkg.net (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.co.uk
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.co.uk; s=s2048; t=1557865834; bh=AVma4g8tj0gXSbSWMoGQ0IAT8Sq/zxCA3qLRWRSoVro=; h=From:References:To:Subject:Date:From:Subject; b=CimIM4TOYGPXirOosxF/34H6kqMf9kWLpJ+gcODPTeh+DE+AWskvrO6wwZ4ZE/wotNfGA3SyRbH7grL/0upLN1HuTOiIgQkdNTK07Ab6+0DfSSj1eSfT9FOj+5QvlZo1WtAOSID12VyxjR4cOxhYF/a4ocSl1xkAebZgIz+bqiWXyIARjB+l+fjwzWC1JxPH+JiHXt/zqxRlNmUQhQub7lY4nWT3TjJunSIfmFCUrtkQsEpCDvlCG9RwD9ThL9/6bie4byp4DJGITKMmlLvKPkEfE3j+A/2gUyFsSvlPrblFQcDdzK8jdSQBLTPNon3Zc/IjS9/4B7rQhFG2dBtdGA==
In-reply-to: <CAH+w=7Y8d0h43rM_dHhbiT8nvL3-zxF8DUWTjn--hPX8sF7iaA@mail.gmail.com>
List-help: <mailto:zsh-workers-help@zsh.org>
List-id: Zsh Workers List <zsh-workers.zsh.org>
List-post: <mailto:zsh-workers@zsh.org>
List-unsubscribe: <mailto:zsh-workers-unsubscribe@zsh.org>
Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
References: <CAAOKOsfSAR5aRBvEcyQKRzDCvOgRJdyRvVb9AXMq6d22RaUozQ@mail.gmail.com> <CAH+w=7Y8d0h43rM_dHhbiT8nvL3-zxF8DUWTjn--hPX8sF7iaA@mail.gmail.com>

On 10 May, Bart wrote:
> On Fri, May 10, 2019 at 8:04 AM David Wells <bughunters@xxxxxxxxxxx> wrote:
> >
> >     #1 Invalid read from *taddrstr *call in *text.c*
> >     POC folder: *01_taddstr_(text.c_148)*
>
> and then (several seconds later) a crash.
>
> The following minimal subset of their test will put the shell into an
> infinite loop, without (at least for as long as I was willing to wait)
> crashing it:
>
> if true; then me > you || !
> :
> fi

I'm finding this one will crash on Linux but hang on FreeBSD. And not
crash with true as the condition. A variety of things can be used in the
condition. while .. do .. done can be used in place of if .. then .. fi,
&& or ||. The me > you part can be cut down to :. Try the following:

  if [[ m -eq y ]]; then
    : && !
    :
  fi

Where I had a crash, it was interpreting the wordcode in ecgetstr().
Where it does r = s->strs + (c >> 2), c had an infeasibly large value
causing it to index well beyond the range of s->strs. I'd be inclined to
suspect the problem comes earlier when parsing this into wordcode.

Issues #2, #3 and #5 are not separate issues but slight variations all
leading to the typeset followed by braces bug. So thanks to Peter, I think
those are all now fixed leaving this (#1) as the only one outstanding.

Oliver

Follow-Ups:
- Re: Zsh - Multiple DoS Vulnerabilities
  - From: Peter Stephenson
- Re: Zsh - Multiple DoS Vulnerabilities
  - From: Mikael Magnusson

References:
- Zsh - Multiple DoS Vulnerabilities
  - From: David Wells
- Re: Zsh - Multiple DoS Vulnerabilities
  - From: Bart Schaefer

Messages sorted by: Reverse Date, Date, Thread, Author