Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: Zsh - Multiple DoS Vulnerabilities

X-seq: zsh-workers 44312
From: Peter Stephenson <p.w.stephenson@xxxxxxxxxxxx>
To: zsh-workers@xxxxxxx
Subject: Re: Zsh - Multiple DoS Vulnerabilities
Date: Thu, 16 May 2019 21:37:09 +0100
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ntlworld.com; s=meg.feb2017; t=1558039030; bh=RXIo27srSi/FdiKRGWHm19B2F0LiMsDjWRX1c9CvJU4=; h=Subject:From:To:Date:In-Reply-To:References; b=bbjcw4g8GKvGZZvBvV8vXF+JjjKm12pQNYHqHSfsgmcTZTN6dMK1tNczOXm1cBekt m86ShH1aEsNhwH+lFfR4ht5RfutLeIBMnx+KD1sjRTlLEQ0b/u7k/dpd7JQyfhDRSu DspNl6BMZUOfpLvt1Zx6NwAql3G2Eogf549Wd4IFzMHowLl9VCd/HroR3+MmzQeQ/X EKDFgK12E8h0KC3EmRFjEpooK0pqOsBRZY1JZz8fjzQYLdXYWqWrg/ByRyKrwZ/W2/ 9DAwYk4yO1TCWdRSgKViYaI4EyEy+PyRTb1r5rR1F6s7dm9Eg3GETAdknd6XPQpX9a GQQLUnVCnhzlw==
In-reply-to: <21436-1557865831.121649@2P7I.HAU9.QsaG>
List-help: <mailto:zsh-workers-help@zsh.org>
List-id: Zsh Workers List <zsh-workers.zsh.org>
List-post: <mailto:zsh-workers@zsh.org>
List-unsubscribe: <mailto:zsh-workers-unsubscribe@zsh.org>
Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
References: <CAAOKOsfSAR5aRBvEcyQKRzDCvOgRJdyRvVb9AXMq6d22RaUozQ@mail.gmail.com> <CAH+w=7Y8d0h43rM_dHhbiT8nvL3-zxF8DUWTjn--hPX8sF7iaA@mail.gmail.com> <21436-1557865831.121649@2P7I.HAU9.QsaG>

On Tue, 2019-05-14 at 22:30 +0200, Oliver Kiddle wrote:
> I'm finding this one will crash on Linux but hang on FreeBSD. And not
> crash with true as the condition. A variety of things can be used in the
> condition. while .. do .. done can be used in place of if .. then .. fi,
> && or ||. The me > you part can be cut down to :. Try the following:
> 
>   if [[ m -eq y ]]; then
>     : && !
>     :
>   fi
> 
> Where I had a crash, it was interpreting the wordcode in ecgetstr().
> Where it does r = s->strs + (c >> 2), c had an infeasibly large value
> causing it to index well beyond the range of s->strs. I'd be inclined to
> suspect the problem comes earlier when parsing this into wordcode.

I'm starting to wonder if this is an allocation rather than a parsing
problem --- the parsing is OK but something goes wrong with the final
pointer / afterwards / in building or copying the word code, so
that gettext2() or the exec code ends up trying to interpret garbage at
the end.

pws

Follow-Ups:
- Re: Zsh - Multiple DoS Vulnerabilities
  - From: Mikael Magnusson

References:
- Zsh - Multiple DoS Vulnerabilities
  - From: David Wells
- Re: Zsh - Multiple DoS Vulnerabilities
  - From: Bart Schaefer
- Re: Zsh - Multiple DoS Vulnerabilities
  - From: Oliver Kiddle

Messages sorted by: Reverse Date, Date, Thread, Author