Zsh Mailing List Archive
Messages sorted by: Reverse Date, Date, Thread, Author

Re: zsh 5.0.7



On 2014-10-02 at 17:25 +0100, Peter Stephenson wrote:
> On Thu, 02 Oct 2014 09:16:56 -0700
> Bart Schaefer <schaefer@xxxxxxxxxxxxxxxx> wrote:
> > On Oct 2,  4:58pm, Peter Stephenson wrote:
> > }
> > } Source distribution documentation.  Does this sound right?
> > 
> > I'd leave out the word "major" -- we don't know of any exploits, do we?
> 
> Nothing that would screw you up any more than getting anything else from
> the environment that you didn't sanitise, I don't think.  So it can
> leave you more open than to the effects of incautious programming.  Not
> sure if that counts.

The oss-security mailing-list folk seem to have settled on:

 * Arbitrary untrusted input in environ is okay and expected, as long as
   the attacker can't control the name of the variable;
 * If the attacker can control the name, then it's the responsibility of
   the software at the trust boundary (network server; setuid program)
   to filter (to protect against `LD_PRELOAD` and friends) to a
   whitelist or sane naming pattern (`HTTP_*`);
 * Bad actions taken on variables with arbitrary names is a software bug
   in whatever is interpreting the environ, whether a shell or anything
   else;
 * Bad actions on specific variables (`LD_*`) is expected and is why the
   trust boundary has responsibilities.

On this basis, the zsh behaviour for three specific variables is
unexpected and unfortunate, but not a CVE-worthy security bug.  But if
folk want to play safe to help vendors track disabling this unfortunate
behaviour, we could always ask for a CVE anyway, even though it
shouldn't be exploitable in any situation in which you're not already
thoroughly screwed.

-Phil



Messages sorted by: Reverse Date, Date, Thread, Author