Zsh Mailing List Archive
Messages sorted by: Reverse Date, Date, Thread, Author

Re: zsh 5.0.7 released

 Oct 2014 09:55:50 -0400
shawn wilson <ag4ve.us@xxxxxxxxx> wrote:
> On Oct 8, 2014 9:56 PM, "Peter Stephenson" <p.w.stephenson@xxxxxxxxxxxx>
> wrote:
> >
> > Version 5.0.7 of zsh is released.  You can get it from
> > http://www.zsh.org/pub and mirrors (see below).  This is a stable
> > release.  There are minor new features as well as bug fixes since 5.0.6.
> >
> > Note in particular there is a security fix to disallow evaluation of the
> > initial values of integer variables imported from the environment (they
> > are instead treated as literal numbers).  That could allow local
> > privilege escalation, under some specific and atypical conditions where
> > zsh is being invoked in privilege elevation contexts when the
> > environment has not been properly sanitized, such as when zsh is invoked
> > by sudo on systems where "env_reset" has been disabled.
> >
> Was this security issue in SSH discussed on the list somewhere (I can't
> seem to find other mention of it outside the readme - not even direct
> mention in changelog or git log)...?

I don't know of an ssh issue,  but the sudo issue was discussed offline.

The original point about sanitising integer imports, however, was discussed


Messages sorted by: Reverse Date, Date, Thread, Author