diff options
author | Peter Stephenson <pws@zsh.org> | 2014-10-06 17:16:12 +0100 |
---|---|---|
committer | Peter Stephenson <pws@zsh.org> | 2014-10-06 17:16:12 +0100 |
commit | 43c8bc81cf96c22726aacf87bb9a0a982f43b32e (patch) | |
tree | 1cab5f6ca8a84f6691956e3d4ab0b497f73c9ef2 | |
parent | a65fb0677c6188220bf5ceacdb8d9a1a2f24883f (diff) | |
download | zsh-43c8bc81cf96c22726aacf87bb9a0a982f43b32e.tar.gz zsh-43c8bc81cf96c22726aacf87bb9a0a982f43b32e.tar.xz zsh-43c8bc81cf96c22726aacf87bb9a0a982f43b32e.zip |
unposted (discussed offline): update README for integer import vulnerability
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | README | 8 |
2 files changed, 10 insertions, 3 deletions
diff --git a/ChangeLog b/ChangeLog index f1fdbceac..985711036 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2014-10-06 Peter Stephenson <p.stephenson@samsung.com> + + * unposted (discussed offline): README: update description of + integer import problem. + 2014-10-04 Barton E. Schaefer <schaefer@zsh.org> * 33354: Src/jobs.c, Test/A05execution.ztst: when backgrounding diff --git a/README b/README index 42105ee8d..e3ccc70b1 100644 --- a/README +++ b/README @@ -10,9 +10,11 @@ There are minor new features as well as bug fixes since 5.0.6. Note in particular there is a security fix to disallow evaluation of the initial values of integer variables imported from the environment (they -are instead treated as literal numbers). Although no exploits are -currently known with this issue it is recommended to upgrade as soon as -possible. +are instead treated as literal numbers). That could allow local +privilege escalation, under some specific and atypical conditions where +zsh is being invoked in privilege elevation contexts when the +environment has not been properly sanitized, such as when zsh is invoked +by sudo on systems where "env_reset" has been disabled. Installing Zsh -------------- |