Re: [BUG] Two vulnerabilities in zsh

[Daniel Shahaf <d.s@xxxxxxxxxxxxxxxxxx>]

Peter Stephenson wrote on Tue, 19 May 2020 21:38 +0100:
> On Tue, 2020-05-19 at 17:04 +0000, Daniel Shahaf wrote:
> > > 1. Execute the following PoC command:
> > > 
> > >   echo $'******** **********************$\\\n(>$' | zsh  
> > 
> > This instruction is underspecified because it does not identify «echo»
> > implementation being used and the shell being used (which affects how
> > the «$'…'» would be parsed).  That aside, I can reproduce this:
> > 
> > $ printf '******** **********************$\\\n(>$' | zsh -f 
> >  BUG: parse error in command substitution
> > Segmentation fault
> > $   
> 
> The BUG message simplifies to this:
> 
> (127)9:32% zsh -fc '$\
> ('
> 1: BUG: parse error in command substitution
> zsh:1: no such file or directory: pws/.
> 
> The other output shows it's doing something it shouldn't even if there
> isn't a crash as a result.  Adding a command in front does produce a
> crash.
> 
> I think the backslashed newline is valid, and it looks like it's usually
> correctly handled; apparently its presence is disguising the bad input
> in this case.

Test cases:

diff --git a/Test/D04parameter.ztst b/Test/D04parameter.ztst
index 024de4d2b..6d2dd0d99 100644
--- a/Test/D04parameter.ztst
+++ b/Test/D04parameter.ztst
@@ -2656,3 +2656,13 @@ F:behavior, see http://austingroupbugs.net/view.php?id=888
 >1: pws
 >3: pw
 >4: pw
+
+ # Using a subshell because it segfaults.
+ ("${: :${{{\"{{lorem ipsum dolor sit amet}}")
+-f:regression test for workers/45843#1
+?(eval):1: bad substitution
+
+# Temporarily using the 'D' flag because it generates a "BUG:" message in
+# debug builds only.
+ $ZTST_testdir/../Src/zsh -fc $'$\\\n('
+1Df:regression test for workers/45843#2: escaped newline in command substitution start token

I haven't added the crashing version of 45843#2.  Let me know if I should.

Cheers,

Daniel