Date: Friday, February 7, 2020 @ 19:54:06 Author: eschwartz Revision: 563757
upgpkg: ksh 2020.0.0-2: backport security patch Added: ksh/trunk/CVE-2019-14868.patch Modified: ksh/trunk/PKGBUILD ----------------------+ CVE-2019-14868.patch | 94 +++++++++++++++++++++++++++++++++++++++++++++++++ PKGBUILD | 13 ++++-- 2 files changed, 103 insertions(+), 4 deletions(-) Added: CVE-2019-14868.patch =================================================================== --- CVE-2019-14868.patch (rev 0) +++ CVE-2019-14868.patch 2020-02-07 19:54:06 UTC (rev 563757) @@ -0,0 +1,94 @@ +From c5ed0136a7b6727332ed1ac598c176a5e0087683 Mon Sep 17 00:00:00 2001 +From: Kurtis Rader <[email protected]> +Date: Thu, 12 Dec 2019 18:46:50 -0800 +Subject: [PATCH] Harden env var imports + +(cherry picked from commit c7de8b641266bac7c77942239ac659edfee9ecd2) +--- + src/cmd/ksh93/sh/arith.c | 37 ++++++++++++++++++++++----------- + src/cmd/ksh93/tests/subshell.sh | 23 ++++++++++++++++++++ + 2 files changed, 48 insertions(+), 12 deletions(-) + +diff --git a/src/cmd/ksh93/sh/arith.c b/src/cmd/ksh93/sh/arith.c +index 5ca3fce4..53eb45ea 100644 +--- a/src/cmd/ksh93/sh/arith.c ++++ b/src/cmd/ksh93/sh/arith.c +@@ -567,19 +567,32 @@ Sfdouble_t sh_strnum(Shell_t *shp, const char *str, char **ptr, int mode) { + char *last; + + if (*str == 0) { +- if (ptr) *ptr = (char *)str; +- return 0; +- } +- errno = 0; +- d = number(str, &last, shp->inarith ? 0 : 10, NULL); +- if (*last) { +- if (*last != '.' || last[1] != '.') { +- d = strval(shp, str, &last, arith, mode); +- Varsubscript = true; ++ d = 0.0; ++ last = (char *)str; ++ } else { ++ d = number(str, &last, shp->inarith ? 0 : 10, NULL); ++ if (*last && !shp->inarith && sh_isstate(shp, SH_INIT)) { ++ // This call is to handle "base#value" literals if we're importing untrusted env vars. ++ d = number(str, &last, 0, NULL); ++ } ++ if (*last) { ++ if (sh_isstate(shp, SH_INIT)) { ++ // Initializing means importing untrusted env vars. Since the string does not appear ++ // to be a recognized numeric literal give up. We can't safely call strval() since ++ // that allows arbitrary expressions which would create a security vulnerability. ++ d = 0.0; ++ } else { ++ if (*last != '.' || last[1] != '.') { ++ d = strval(shp, str, &last, arith, mode); ++ Varsubscript = true; ++ } ++ if (!ptr && *last && mode > 0) { ++ errormsg(SH_DICT, ERROR_exit(1), e_lexbadchar, *last, str); ++ } ++ } ++ } else if (d == 0.0 && *str == '-') { ++ d = -0.0; + } +- if (!ptr && *last && mode > 0) errormsg(SH_DICT, ERROR_exit(1), e_lexbadchar, *last, str); +- } else if (!d && *str == '-') { +- d = -0.0; + } + if (ptr) *ptr = last; + return d; +diff --git a/src/cmd/ksh93/tests/subshell.sh b/src/cmd/ksh93/tests/subshell.sh +index b63a8051..3faba475 100644 +--- a/src/cmd/ksh93/tests/subshell.sh ++++ b/src/cmd/ksh93/tests/subshell.sh +@@ -856,3 +856,26 @@ for exp in 65535 65536 + do got=$($SHELL -c 'x=$(printf "%.*c" '$exp' x); print ${#x}' 2>&1) + [[ $got == $exp ]] || log_error "large command substitution failed" "$exp" "$got" + done ++ ++# ========== ++# Verify that importing untrusted env vars does not allow evaluating arbitrary expressions but does ++# recognize all integer literals recognized by ksh. ++expect=8 ++actual=$(env SHLVL='7' $SHELL -c 'echo $SHLVL') ++[[ $actual == $expect ]] || log_error "decimal int literal not recognized" "$expect" "$actual" ++ ++expect=14 ++actual=$(env SHLVL='013' $SHELL -c 'echo $SHLVL') ++[[ $actual == $expect ]] || log_error "leading zeros int literal not recognized" "$expect" "$actual" ++ ++expect=4 ++actual=$(env SHLVL='2#11' $SHELL -c 'echo $SHLVL') ++[[ $actual == $expect ]] || log_error "base#value int literal not recognized" "$expect" "$actual" ++ ++expect=12 ++actual=$(env SHLVL='16#B' $SHELL -c 'echo $SHLVL') ++[[ $actual == $expect ]] || log_error "base#value int literal not recognized" "$expect" "$actual" ++ ++expect=1 ++actual=$(env SHLVL="2#11+x[\$($bin_echo DANGER WILL ROBINSON >&2)0]" $SHELL -c 'echo $SHLVL') ++[[ $actual == $expect ]] || log_error "expression allowed on env var import" "$expect" "$actual" +-- +2.25.0 + Modified: PKGBUILD =================================================================== --- PKGBUILD 2020-02-07 19:24:45 UTC (rev 563756) +++ PKGBUILD 2020-02-07 19:54:06 UTC (rev 563757) @@ -2,7 +2,7 @@ pkgname=ksh pkgver=2020.0.0 -pkgrel=1 +pkgrel=2 pkgdesc="The Original AT&T Korn Shell" arch=('x86_64') url="http://kornshell.org/"; @@ -12,13 +12,16 @@ provides=('ksh93') install=ksh.install source=("https://github.com/att/ast/releases/download/${pkgver}/ksh-${pkgver}.tar.xz"{,.asc} - "https://github.com/att/ast/commit/d89753b5d38482f4a3f17ba3b7d09ab07cfe7419.patch";) + "https://github.com/att/ast/commit/d89753b5d38482f4a3f17ba3b7d09ab07cfe7419.patch"; + "CVE-2019-14868.patch") sha256sums=('3d6287f9ad13132bf8e57a8eac512b36a63ccce2b1e4531d7a946c5bf2375c63' 'SKIP' - '8d10ac086727ef9d1b967e2e973be29792e9a4a8c5f915087aa3a2c44d87403f') + '8d10ac086727ef9d1b967e2e973be29792e9a4a8c5f915087aa3a2c44d87403f' + '3e28d2cbe4b6d8d4dc40056aaea78099b2dc95017796395e26f05baae1bbffa2') b2sums=('29f957c7917d469fe1b322e7ac2c22435c41c226a0d9629d91d81089ab90cb381b578b163be0f424a574663c838f0cfa59357f18dd61381daa4a8d4e383b60eb' 'SKIP' - 'bcf521012bb197d234b119dc56ddc068f8ec3e46b6f4c6d82e1043629368bfcabd1a5d360bae702777e5b01914ac70c9edbdce5ee0bba7e9f69916a3c38b1820') + 'bcf521012bb197d234b119dc56ddc068f8ec3e46b6f4c6d82e1043629368bfcabd1a5d360bae702777e5b01914ac70c9edbdce5ee0bba7e9f69916a3c38b1820' + 'de3e7fd86fb5bddfd85074d1337794a5777c2537baf5d00568beb82ac70ca2d5d6d47902d8ebe5cb32194d426172fbbfba6b4e511013209f0f3aaeec9e07a866') validpgpkeys=('4BF045ACC726FE4E9DFC1D7762213CE2D3CB82EA') # Siteshwar Vashisht <[email protected]> export NINJA=/usr/bin/samu @@ -28,6 +31,8 @@ # ignore test error on non-debug builds: https://github.com/att/ast/issues/1390 patch -p1 -i ../d89753b5d38482f4a3f17ba3b7d09ab07cfe7419.patch + # CVE-2019-14868 + patch -p1 -i ../CVE-2019-14868.patch }
