Does the Shellshock bug affect ZSH?
No, it doesn't affect ZSH.
You still MUST update bash as most of the system scripts are written for bash and vulnerable to the shellshock bug.
To test your ZSH do this:
env x='() { :;}; echo vulnerable' zsh -c 'echo hello'
What exactly does this code do?
-
env x='() { :;}; echo vulnerable'
creates an environment variable with known bug using command in the end of variable -
zsh -c 'echo hello'
launches ZSH shell with simple hello (and evaluating all env variables including x)
If you see output:
vulnerable
hello
Then your ZSH is vulnerable. Mine (5.0.2) is not:
$ env x='() { :;}; echo vulnerable' zsh -c 'echo hello'
hello
From this link:
You can determine if you are vulnerable to the original problem in CVE-2014-6271 by executing this test:
env x='() { :;}; echo vulnerable' bash -c 'echo hello'
If you see the word vulnerable in the output of that command your bash is vulnerable and you should update. Below is a vulnerable version from OS X 10.8.5:
env x='() { :;}; echo vulnerable' bash -c 'echo hello'
vulnerable
hello
The following output is an example of a non-vulnerable bash version.
$ env x='() { :;}; echo vulnerable' bash -c 'echo hello'
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
hello
The binary is not affected
It does not affect zsh
as the shell executable, because it's source code never contained the error.
There are many similaritys between bash
and zsh
, but they werer implemented independent from each other. The same feature is implemented in two different ways, and - more important in this context - usually with different errors.
But the interactive use is
Indirectly it does affect working interactively with the zsh
shell in a terminal almost as much as working with bash
.
The use of bash
is just so common that one can hardly avoid to call it.
Too many uses to avoid
- scripts you know and expect to use
zsh
, but actually containbash
. - lots of shell scripts that use
#!/bin/bash
to specifybash
as the interpreter. lots of commands that you assume are binaries, but are shell scripts, some of them using
bash
.-
in many places where a shell is executed explicitly,
bash
may be used, and possibly required.- like complex
xargs
commands, orgit
aliases involving arguments - default shells of terminal emulators
- shell of users you sudo to
- etc.
- like complex