Zsh Mailing List Archive
Messages sorted by:
Reverse Date,
Date,
Thread,
Author
Re: [BUG] Two vulnerabilities in zsh
Peter Stephenson wrote on Tue, 19 May 2020 21:38 +0100:
> On Tue, 2020-05-19 at 17:04 +0000, Daniel Shahaf wrote:
> > > 1. Execute the following PoC command:
> > >
> > > echo $'******** **********************$\\\n(>$' | zsh
> >
> > This instruction is underspecified because it does not identify «echo»
> > implementation being used and the shell being used (which affects how
> > the «$'…'» would be parsed). That aside, I can reproduce this:
> >
> > $ printf '******** **********************$\\\n(>$' | zsh -f
> > BUG: parse error in command substitution
> > Segmentation fault
> > $
>
> The BUG message simplifies to this:
>
> (127)9:32% zsh -fc '$\
> ('
> 1: BUG: parse error in command substitution
> zsh:1: no such file or directory: pws/.
>
> The other output shows it's doing something it shouldn't even if there
> isn't a crash as a result. Adding a command in front does produce a
> crash.
>
> I think the backslashed newline is valid, and it looks like it's usually
> correctly handled; apparently its presence is disguising the bad input
> in this case.
Test cases:
diff --git a/Test/D04parameter.ztst b/Test/D04parameter.ztst
index 024de4d2b..6d2dd0d99 100644
--- a/Test/D04parameter.ztst
+++ b/Test/D04parameter.ztst
@@ -2656,3 +2656,13 @@ F:behavior, see http://austingroupbugs.net/view.php?id=888
>1: pws
>3: pw
>4: pw
+
+ # Using a subshell because it segfaults.
+ ("${: :${{{\"{{lorem ipsum dolor sit amet}}")
+-f:regression test for workers/45843#1
+?(eval):1: bad substitution
+
+# Temporarily using the 'D' flag because it generates a "BUG:" message in
+# debug builds only.
+ $ZTST_testdir/../Src/zsh -fc $'$\\\n('
+1Df:regression test for workers/45843#2: escaped newline in command substitution start token
I haven't added the crashing version of 45843#2. Let me know if I should.
Cheers,
Daniel
Messages sorted by:
Reverse Date,
Date,
Thread,
Author