Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: 0day in zsh through history expression

X-seq: zsh-workers 53818
From: Mikael Magnusson <mikachu@xxxxxxxxx>
To: Pwn <ranasinanadil@xxxxxxxxx>
Cc: zsh-workers@xxxxxxx
Subject: Re: 0day in zsh through history expression
Date: Sat, 12 Jul 2025 21:52:59 +0200
Archived-at: <https://zsh.org/workers/53818>
In-reply-to: <CAP=2gBic4+8YJ7o4uXtaR8wmtHndGdp-AH_6RVbJpm7+Wb=eCw@mail.gmail.com>
List-id: <zsh-workers.zsh.org>
References: <CAP=2gBic4+8YJ7o4uXtaR8wmtHndGdp-AH_6RVbJpm7+Wb=eCw@mail.gmail.com>

On Sat, Jul 12, 2025 at 8:33 PM Pwn <ranasinanadil@xxxxxxxxx> wrote:
>
> POC is in this link:  https://livepwn.github.io/ZshShock

This seems to be mostly nonsense, maybe ai generated[1]? But the crash
does happen, this patch fixes it but I don't use history substitution
much,

diff --git i/Src/hist.c w/Src/hist.c
index 379dc1b036..3450f4464c 100644
--- i/Src/hist.c
+++ w/Src/hist.c
@@ -2446,7 +2446,7 @@ gethist(int ev)

 /**/
 static char *
-getargs(Histent elist, int arg1, int arg2)
+getargs(Histent elist, unsigned int arg1, unsigned int arg2)
 {
     short *words = elist->words;
     int pos1, pos2, nwords = elist->nwords;

[1]
Discovery Date: [21 June 2025]
Vendor Notified: [22 June 2025]
Patch Release: TBD
Public Disclosure: [19 May 2025]

Nobody was notified at those dates, and today is not may 19th. Also
the rest is mostly nonsensical, why would you locate the pointer to
system() in glibc when you're already writing arbitrary commands into
a shell session.

-- 
Mikael Magnusson

Follow-Ups:
- Re: 0day in zsh through history expression
  - From: Bart Schaefer

References:
- 0day in zsh through history expression
  - From: Pwn

Messages sorted by: Reverse Date, Date, Thread, Author