Zsh Mailing List Archive
Messages sorted by:
Re: Zsh - Multiple DoS Vulnerabilities
- X-seq: zsh-workers 44305
- From: Mikael Magnusson <mikachu@xxxxxxxxx>
- To: Oliver Kiddle <okiddle@xxxxxxxxxxx>
- Subject: Re: Zsh - Multiple DoS Vulnerabilities
- Date: Wed, 15 May 2019 18:50:04 +0200
- Cc: Zsh workers <zsh-workers@xxxxxxx>
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=oESEysC8RAfhVJp8QxkaMokVQdVmcOpBDLlgvreDjIY=; b=aMSaBlE+BSJf4D9dbpwBGHHbaX7HaXMStC9JNe3f9cYnqqx0nh7raqxjkY4ofV6E3/ ylAjR6jV8qcFBOoA9zEJyC1gcHwsYaHchPyHk8z3YS0qcHWlI6QypeLP/D84ivtVQITj vl7wrHBIieY2sUdpHb2NQVDy/z5f6DGtxLgPXWK+2rZeq+kCvnwvQVcqkutJflLIYZYR EZhCOTQ7WZQ+7UVzyhL/8WKfRxa8pKmE4OluNHDilBjQ9PAU40UlqQEYLOBtY1P+yLii svHekzzYpCJIDaE1BI1uOS17YQ7cDdIX+Z6PAuOFWdJPG/HIt2eBcsTmulhsAdy9jk6T h6ZA==
- In-reply-to: <21436-1557865831.121649@2P7I.HAU9.QsaG>
- List-help: <mailto:firstname.lastname@example.org>
- List-id: Zsh Workers List <zsh-workers.zsh.org>
- List-post: <mailto:email@example.com>
- List-unsubscribe: <mailto:firstname.lastname@example.org>
- Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
- References: <CAAOKOsfSAR5aRBvEcyQKRzDCvOgRJdyRvVb9AXMq6d22RaUozQ@mail.gmail.com> <CAH+w=7Y8d0h43rM_dHhbiT8nvL3-zxF8DUWTjn--hPX8sF7iaA@mail.gmail.com> <21436-1557865831.121649@2P7I.HAU9.QsaG>
On 5/14/19, Oliver Kiddle <okiddle@xxxxxxxxxxx> wrote:
> On 10 May, Bart wrote:
>> On Fri, May 10, 2019 at 8:04 AM David Wells <bughunters@xxxxxxxxxxx>
>> > #1 Invalid read from *taddrstr *call in *text.c*
>> > POC folder: *01_taddstr_(text.c_148)*
>> and then (several seconds later) a crash.
>> The following minimal subset of their test will put the shell into an
>> infinite loop, without (at least for as long as I was willing to wait)
>> crashing it:
>> if true; then me > you || !
> I'm finding this one will crash on Linux but hang on FreeBSD. And not
> crash with true as the condition. A variety of things can be used in the
> condition. while .. do .. done can be used in place of if .. then .. fi,
> && or ||. The me > you part can be cut down to :. Try the following:
> if [[ m -eq y ]]; then
> : && !
> Where I had a crash, it was interpreting the wordcode in ecgetstr().
> Where it does r = s->strs + (c >> 2), c had an infeasibly large value
> causing it to index well beyond the range of s->strs. I'd be inclined to
> suspect the problem comes earlier when parsing this into wordcode.
> Issues #2, #3 and #5 are not separate issues but slight variations all
> leading to the typeset followed by braces bug. So thanks to Peter, I think
> those are all now fixed leaving this (#1) as the only one outstanding.
Might it be worth adding some type of check to the ecgetstr() code, so
we get a DPUTS instead of a crash if c>>2 is incredibly large? I'm not
sure atm how this would be determined, or what typical values are, but
I think two of these issues led to a crash here. We could also get
arbitrary bytecode from a modified .zwc file although of course in
that case you've already los tany security. Still would be nice to not
crash from misparsing it though.
Messages sorted by: