Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: Zsh - Multiple DoS Vulnerabilities

X-seq: zsh-workers 44303
From: Bart Schaefer <schaefer@xxxxxxxxxxxxxxxx>
To: Daniel Shahaf <d.s@xxxxxxxxxxxxxxxxxx>
Subject: Re: Zsh - Multiple DoS Vulnerabilities
Date: Tue, 14 May 2019 15:25:36 -0700
Cc: David Wells <bughunters@xxxxxxxxxxx>, "zsh-workers@xxxxxxx" <zsh-workers@xxxxxxx>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=brasslantern-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=sMyPn0/lXWDuXwGId2rm/+zla6aIGe1w+jBVZswkMHQ=; b=aUGb/8e4+loPJL+ZKxQFOI734fW/k+CWGZpjaNuwXbG0HWugiR+BIOrA7UY6Hg5om3 kj7q0vRzpawQqnIEppdxRIJOdpXyvBv2MHvFDB47dAdG87Y71blXgb6ciaj0Y61HGDoj PiN+o58arpcgLp/obLjvaPjDsXpjDhZHp9CafoyUtyc1jxfRN5CHozi9w/YhgaOzT5QY NQLYVeQw/Igk0YtKB6svjd3hQnH8D+Wezv6ekIZJKQJky8SJPD53japE3jlJrWlMDwoJ fhTs/KKgPPGp3jpmoijTnZYiUgmE+R+QmaUbO/519RebsziGqMJ3LA6sj296/Jaxxr8q l8JA==
In-reply-to: <54c02a72-cbcf-4036-9a72-7df24c0041d2@www.fastmail.com>
List-help: <mailto:zsh-workers-help@zsh.org>
List-id: Zsh Workers List <zsh-workers.zsh.org>
List-post: <mailto:zsh-workers@zsh.org>
List-unsubscribe: <mailto:zsh-workers-unsubscribe@zsh.org>
Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
References: <CAAOKOsfSAR5aRBvEcyQKRzDCvOgRJdyRvVb9AXMq6d22RaUozQ@mail.gmail.com> <CAH+w=7YSL2eLRWeXaZj09er-v4noxuALxAum5Zj4awLP=7mQRQ@mail.gmail.com> <20190512162149.3fsqupqftmwxrbvd@chaz.gmail.com> <CAAOKOsfq-BDfbD1MD01f-soJdhK=rbvr-1kHubCs9uT4GNhG0g@mail.gmail.com> <20190514181026.u4myftmekdtqkhme@chaz.gmail.com> <54c02a72-cbcf-4036-9a72-7df24c0041d2@www.fastmail.com>

On Tue, May 14, 2019 at 2:39 PM Daniel Shahaf <d.s@xxxxxxxxxxxxxxxxxx> wrote:
>
> I've been trying to come up with counterexamples.  What if somebody
> installed a /etc/zshenv that does, say, 'disable zmodload enable'?

You can bypass /etc/zshenv by, for example, invoking zsh as "sh" and
then running "emulate -R" and/or otherwise futzing with setopts.  So
either THAT is a security flaw, or your example isn't one either.

Follow-Ups:
- Re: Zsh - Multiple DoS Vulnerabilities
  - From: Daniel Shahaf

References:
- Zsh - Multiple DoS Vulnerabilities
  - From: David Wells
- Re: Zsh - Multiple DoS Vulnerabilities
  - From: Bart Schaefer
- Re: Zsh - Multiple DoS Vulnerabilities
  - From: Stephane Chazelas
- Re: Zsh - Multiple DoS Vulnerabilities
  - From: David Wells
- Re: Zsh - Multiple DoS Vulnerabilities
  - From: Stephane Chazelas
- Re: Zsh - Multiple DoS Vulnerabilities
  - From: Daniel Shahaf

Messages sorted by: Reverse Date, Date, Thread, Author