Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: Does the bash bug have a zsh counterpart?

X-seq: zsh-users 19148
From: shawn wilson <ag4ve.us@xxxxxxxxx>
To: "William G. Scott" <wgscott@xxxxxxxx>
Subject: Re: Does the bash bug have a zsh counterpart?
Date: Thu, 25 Sep 2014 12:42:10 -0400
Cc: Zsh Users <zsh-users@xxxxxxx>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=jMP3XodhERzb1iVz+MhjJ+q3Mix88WESbjsLho0EyCc=; b=MO8J7S34aDmJ55RkF6mqrQAXinHUjjdKgc8dlj4dOf/NgxQoFcYf+6Ci+OEDTAP++i Wg+PCDn450b2Hb8o020A3Dx0MllN2XL8NFvdyvxfg8Cj3kH4g1QC5/wdGzmBGzE7h0Kj YN86uibvFdPGvMmpYwAkpg/FzXDGOGLUR2glhjtTh8/l/o2TfquxRUAWnbJs5CLbXTD5 LPl025/PxZqySV6tA+xdjoOFt1ZFS8PLnT/trnrx4spXchICSmawM/E24XDW3Y3Z6+1N A27ZUHFxTOcWQ8mSdbEGNRR3Uw+Fjak7b6KwG6nrOgLNiFo8FuFXg+KcOs5/Kg+Our63 OBLw==
In-reply-to: <1B204EC0-006C-47D9-80F3-007562954A8D@ucsc.edu>
List-help: <mailto:zsh-users-help@zsh.org>
List-id: Zsh Users List <zsh-users.zsh.org>
List-post: <mailto:zsh-users@zsh.org>
Mailing-list: contact zsh-users-help@xxxxxxx; run by ezmlm
References: <1B204EC0-006C-47D9-80F3-007562954A8D@ucsc.edu>

Maybe not?

I quickly took this:
https://www.reddit.com/r/netsec/comments/2hbxtc/cve20146271_remote_code_execution_through_bash/ckro7be

And changed out the shell. But I didn't look too hard.

 % rm -f echo && env -i  X='() { (a)=>\' zsh -c 'echo date'; cat echo

Downloads/temp swlap1
env: zsh: No such file or directory
cat: echo: No such file or directory

On Thu, Sep 25, 2014 at 12:35 PM, William G. Scott <wgscott@xxxxxxxx> wrote:
> Hi folks:
>
> Does any version of zsh have the same issue as bash, reported eg at
>
> <http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/>
>
>
> The test listed toward the end of the article doesn’t indicate that it does (substituting zsh for bash), but I just wanted to ask.
>
> I was thinking of temporarily replacing sh and bash on OS X with zsh until a security fix is offered.
>
> Many thanks.
>
>
> Bill
>
>
>

References:
- Does the bash bug have a zsh counterpart?
  - From: William G. Scott

Messages sorted by: Reverse Date, Date, Thread, Author