Zsh Mailing List Archive
Messages sorted by: Reverse Date, Date, Thread, Author

Re: [BUG] Two vulnerabilities in zsh



On Tue, 2020-05-19 at 17:04 +0000, Daniel Shahaf wrote:
> > 1. Execute the following PoC command:
> > 
> >   echo $'******** **********************$\\\n(>$' | zsh
> 
> This instruction is underspecified because it does not identify «echo»
> implementation being used and the shell being used (which affects how
> the «$'…'» would be parsed).  That aside, I can reproduce this:
> 
> $ printf '******** **********************$\\\n(>$' | zsh -f 
>  BUG: parse error in command substitution
> Segmentation fault
> $ 

The BUG message simplifies to this:

(127)9:32% zsh -fc '$\
('
1: BUG: parse error in command substitution
zsh:1: no such file or directory: pws/.

The other output shows it's doing something it shouldn't even if there
isn't a crash as a result.  Adding a command in front does produce a
crash.

I think the backslashed newline is valid, and it looks like it's usually
correctly handled; apparently its presence is disguising the bad input
in this case.

pws



Messages sorted by: Reverse Date, Date, Thread, Author