undefined | Better HN

0 pointsCrito11y ago0 comments

I'm not seeing this on zsh 4.3.17. Exactly what did you run to see this?

0 comments

pja11y ago

They probably ran

  env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

but failed to spot that the second command invokes bash not zsh.

My tests suggest that neither zsh 4.3.17 or 5.0.6 (the versions that ship with Debian stable & testing respectively) are vulnerable to this exploit - if you replace bash with zsh in the test oneliner then the code after the end of the function definition in the environment variable is not executed.

flexd11y ago

That's it, I am an idiot today. (and more days probably)

j / k navigate · click thread line to collapse