Zsh Mailing List Archive
Messages sorted by: Reverse Date, Date, Thread, Author

Re: zsh seems to be vulnerable to CVE-2014-6271: remote code execution through bash



Peter Stephenson wrote:
> On Wed, 24 Sep 2014 16:54:10 +0200
> Frank Terbeck <ft@xxxxxxxxxxxxxxxxxxx> wrote:
>> Bash has this weird feature, where you can "export functions". I suspect
>> that's what's happening here. Zsh doesn't have this feature. Thankfully.
>
> I was going to suggest the same.  Can anyone less lazy / busy [pick
> whatever you think] than me confirm for sure?  Be nice to know.

I just skimmed through the text in the link the OP provided. Here's an
excerpt:

[snip]
    Like “real” programming languages, Bash has functions, though in a
    somewhat limited implementation, and it is possible to put these
    bash functions into environment variables. This flaw is triggered
    when extra code is added to the end of these function definitions
    (inside the enivronment variable).
[snap]

So, yeah. Looks like it. :)


Regards, Frank



Messages sorted by: Reverse Date, Date, Thread, Author