Does the Shellshock bug affect ZSH?

Question

Does the Shellshock Bash bug affect ZSH?

Is upgrading Bash the only solution?

Answer 1

No, it doesn't affect ZSH.

You still MUST update bash as most of the system scripts are written for bash and vulnerable to the shellshock bug.

To test your ZSH do this:

env x='() { :;}; echo vulnerable' zsh -c 'echo hello'

What exactly does this code do?

1. env x='() { :;}; echo vulnerable' creates an environment variable with known bug using command in the end of variable
2. zsh -c 'echo hello' launches ZSH shell with simple hello (and evaluating all env variables including x)

If you see output:

vulnerable
hello

Then your ZSH is vulnerable. Mine (5.0.2) is not:

$ env x='() { :;}; echo vulnerable' zsh -c 'echo hello'
hello

Answer 2

From this link:

You can determine if you are vulnerable to the original problem in CVE-2014-6271 by executing this test:

env x='() { :;}; echo vulnerable' bash -c 'echo hello'

If you see the word vulnerable in the output of that command your bash is vulnerable and you should update. Below is a vulnerable version from OS X 10.8.5:

env x='() { :;}; echo vulnerable' bash -c 'echo hello'
vulnerable
hello

The following output is an example of a non-vulnerable bash version.

$ env x='() { :;}; echo vulnerable' bash -c 'echo hello'
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
hello

Answer 3

The binary is not affected

It does not affect zsh as the shell executable, because it's source code never contained the error.
There are many similaritys between bash and zsh, but they werer implemented independent from each other. The same feature is implemented in two different ways, and - more important in this context - usually with different errors.

But the interactive use is

Indirectly it does affect working interactively with the zsh shell in a terminal almost as much as working with bash.

The use of bash is just so common that one can hardly avoid to call it.

Too many uses to avoid

• scripts you know and expect to use zsh, but actually contain bash.
• lots of shell scripts that use #!/bin/bash to specify bash as the interpreter.

• lots of commands that you assume are binaries, but are shell scripts, some of them using bash.

• in many places where a shell is executed explicitly, bash may be used, and possibly required.

  • like complex xargs commands, or git aliases involving arguments
  • default shells of terminal emulators
  • shell of users you sudo to
  • etc.

Answer 4

No, Shellshock does not affect zsh directly.

However many environments that use zsh as the default shell also have bash installed. Any shell, including zsh, can be used to spawn a compromised bash shell:

zsh ❯ env X='() { (a)=>\' sh -c "echo date"; cat echo
sh: X: line 1: syntax error near unexpected token `='
sh: X: line 1: `'
sh: error importing function definition for `X'
Fri 26 Sep 2014 12:05:57 BST

To defend against this you should patch, uninstall or disable any redundant versions of bash. You could disable the system bash install with chmod:

$ chmod a-x /bin/bash

However, it is common for scripts to explicitly call bash. Scripts that do this, and those that use bash-specific scripting features, will fail if bash is not available. Patching is the best solution.