Re: 0day in zsh through history expression

X-seq: zsh-workers 53819

From: Bart Schaefer <schaefer@xxxxxxxxxxxxxxxx>

To: Mikael Magnusson <mikachu@xxxxxxxxx>

Cc: Pwn <ranasinanadil@xxxxxxxxx>, Zsh hackers list <zsh-workers@xxxxxxx>

Subject: Re: 0day in zsh through history expression

Date: Sat, 12 Jul 2025 13:36:26 -0700

Archived-at: <https://zsh.org/workers/53819>

In-reply-to: <CAHYJk3Rgh9vfp=r3ord6a86GvmXd6Ktzv3xhxnruo_wDOLFRnA@mail.gmail.com>

List-id: <zsh-workers.zsh.org>

References: <CAP=2gBic4+8YJ7o4uXtaR8wmtHndGdp-AH_6RVbJpm7+Wb=eCw@mail.gmail.com> <CAHYJk3Rgh9vfp=r3ord6a86GvmXd6Ktzv3xhxnruo_wDOLFRnA@mail.gmail.com>

This was reported to zsh-security a couple of hours earlier and I already sent a patch there

On Sat, Jul 12, 2025, 12:53 PM Mikael Magnusson <mikachu@xxxxxxxxx> wrote:

On Sat, Jul 12, 2025 at 8:33 PM Pwn <ranasinanadil@xxxxxxxxx> wrote:
>
> POC is in this link: https://livepwn.github.io/ZshShock

This seems to be mostly nonsense, maybe ai generated[1]? But the crash
does happen, this patch fixes it but I don't use history substitution
much,

diff --git i/Src/hist.c w/Src/hist.c
index 379dc1b036..3450f4464c 100644
--- i/Src/hist.c
+++ w/Src/hist.c
@@ -2446,7 +2446,7 @@ gethist(int ev)

/**/
static char *
-getargs(Histent elist, int arg1, int arg2)
+getargs(Histent elist, unsigned int arg1, unsigned int arg2)
{
short *words = elist->words;
int pos1, pos2, nwords = elist->nwords;

[1]
Discovery Date: [21 June 2025]
Vendor Notified: [22 June 2025]
Patch Release: TBD
Public Disclosure: [19 May 2025]

Nobody was notified at those dates, and today is not may 19th. Also
the rest is mostly nonsensical, why would you locate the pointer to
system() in glibc when you're already writing arbitrary commands into
a shell session.

--
Mikael Magnusson

Reverse Date

Date

Thread

Author