Zsh Mailing List Archive
Messages sorted by:
Reverse Date,
Date,
Thread,
Author
Re: zsh seems to be vulnerable to CVE-2014-6271: remote code execution through bash
- X-seq: zsh-workers 33231
- From: Jérémie Roquet <arkanosis@xxxxxxxxx>
- To: İsmail Dönmez <ismail@xxxxxxxxx>
- Subject: Re: zsh seems to be vulnerable to CVE-2014-6271: remote code execution through bash
- Date: Wed, 24 Sep 2014 16:55:23 +0200
- Cc: "Zsh Hackers' List" <zsh-workers@xxxxxxx>
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=6+mjIRF6cLegJ+jL/EDeRykd8nQyH3aAbXvmYFy/oME=; b=Ek9DSp6e7CkyYK0ZUMuqK3TngTjfIJYCMwcuEL6M1SWZhkRsGynd7u23bccl80Nabj mMmkp4kIzsMHYqYfDTgkN0hSbn2wrB4Q2O2Wtk+0sg4GSa0jo8fVFAq3eLLS4fsTqFLZ ERdW2cftuILme11CdBuYgXOnbQJclRf/EQACQ56FnzdhX+pwMn/h5zW7IzgTr8eHashR 7OPaJ/UMbAMudleMYqxCxmaoNrZACM6BR2n0egWNxD6O+EV0IvBFGnHD36IJQeGeMk3R +SB+gp7xcgBF4FyoOdxql+s/nYmE7zKvPK0ALwAJgL7u4AAr3/knfVkzUjCr0/UZeoge Cs/w==
- In-reply-to: <CAJ1KOAjyBjbywavXwa+ejjQD1YjK8eCSGaESYhJxCb1e3KPjFg@mail.gmail.com>
- List-help: <mailto:zsh-workers-help@zsh.org>
- List-id: Zsh Workers List <zsh-workers.zsh.org>
- List-post: <mailto:zsh-workers@zsh.org>
- Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
- References: <CAJ1KOAjyBjbywavXwa+ejjQD1YjK8eCSGaESYhJxCb1e3KPjFg@mail.gmail.com>
Hi,
2014-09-24 16:45 GMT+02:00 İsmail Dönmez <ismail@xxxxxxxxx>:
> According to the vulnerability test in
> https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
>
> [~]> echo $ZSH_VERSION
> 5.0.6
>
> [~]> env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
> vulnerable
> this is a test
If I understand well, this test only proves that your version of
*bash* is vulnerable
$ env x='() { :;}; echo vulnerable' zsh -c "echo this is a test"
this is a test
Looks like zsh is not.
Best regards,
--
Jérémie
Messages sorted by:
Reverse Date,
Date,
Thread,
Author