Zsh Mailing List Archive
Messages sorted by:
Reverse Date,
Date,
Thread,
Author
Re: [BUG] Two vulnerabilities in zsh
- X-seq: zsh-workers 45851
- From: Peter Stephenson <p.w.stephenson@xxxxxxxxxxxx>
- To: "zsh-workers@xxxxxxx" <zsh-workers@xxxxxxx>
- Subject: Re: [BUG] Two vulnerabilities in zsh
- Date: Tue, 19 May 2020 21:38:55 +0100
- In-reply-to: <20200519170418.5bc00b2f@tarpaulin.shahaf.local2>
- List-help: <mailto:zsh-workers-help@zsh.org>
- List-id: Zsh Workers List <zsh-workers.zsh.org>
- List-post: <mailto:zsh-workers@zsh.org>
- List-unsubscribe: <mailto:zsh-workers-unsubscribe@zsh.org>
- Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
- References: <wUyJbXo1lRhl4AYZR5ZuGgFNdYiAV1WPC7o0DRLgCliFUJuAePd3VZ2mcVzBKNW1nvmFCZMU6nd2jJ2gN2e02ioHUgzfAOjPzVUHXufMEIo=@protonmail.com> <20200519170418.5bc00b2f@tarpaulin.shahaf.local2>
On Tue, 2020-05-19 at 17:04 +0000, Daniel Shahaf wrote:
> > 1. Execute the following PoC command:
> >
> > echo $'******** **********************$\\\n(>$' | zsh
>
> This instruction is underspecified because it does not identify «echo»
> implementation being used and the shell being used (which affects how
> the «$'…'» would be parsed). That aside, I can reproduce this:
>
> $ printf '******** **********************$\\\n(>$' | zsh -f
> BUG: parse error in command substitution
> Segmentation fault
> $
The BUG message simplifies to this:
(127)9:32% zsh -fc '$\
('
1: BUG: parse error in command substitution
zsh:1: no such file or directory: pws/.
The other output shows it's doing something it shouldn't even if there
isn't a crash as a result. Adding a command in front does produce a
crash.
I think the backslashed newline is valid, and it looks like it's usually
correctly handled; apparently its presence is disguising the bad input
in this case.
pws
Messages sorted by:
Reverse Date,
Date,
Thread,
Author