Your message dated Sat, 01 Aug 2020 12:51:28 +0100
with message-id
<43535efb498a168cf81452ca0c326f004f46adc6.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 10.5 point release
has caused the Debian Bug report #964986,
regarding buster-pu: package ksh/93u+20120801-3.4
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
964986: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964986
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: [email protected]
Usertags: pu
X-Debbugs-Cc: [email protected], [email protected]
[ Reason ]
Summary of the issue: In ksh version 20120801, a flaw was found in the
way it evaluates certain environment variables. An attacker could use
this flaw to override or bypass environment restrictions to execute
shell commands.
[ Impact ]
Services and applications that allow remote unauthenticated
attackers to provide one of those environment variables could allow them
to exploit this issue remotely, although the risk is deemed low.
[ Tests ]
There is a test included in the diff that was used to validate the
fix. Also, the regression test suite was run to make sure there were
no regressions.
[ Risks ]
The regression test suite has been run before and after the patch to
confirm no new regressions. Also, the fix is applied in unstable with no
new issues reported.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
* Patch to arith.c that fixes the CVE
* Test case for the fix
[ Other info ]
This was brought up to the security team first, and it was deemed that a
DSA is not required by Salvatore Bonaccorso.
Anuradha
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
diff -Nru ksh-93u+20120801/debian/changelog ksh-93u+20120801/debian/changelog
--- ksh-93u+20120801/debian/changelog 2018-12-14 02:26:58.000000000 -0500
+++ ksh-93u+20120801/debian/changelog 2020-07-12 11:26:07.000000000 -0400
@@ -1,3 +1,15 @@
+ksh (93u+20120801-4+deb10u1) buster-security; urgency=high
+
+ * Fix for CVE-2019-14868: in ksh version 20120801, a flaw was found
+ in the way it evaluates certain environment variables. An attacker
+ could use this flaw to override or bypass environment restrictions
+ to execute shell commands. Services and applications that allow
+ remote unauthenticated attackers to provide one of those
+ environment variables could allow them to exploit this issue
+ remotely. (Closes: #948989)
+
+ -- Anuradha Weeraman <[email protected]> Sun, 12 Jul 2020 11:26:07 -0400
+
ksh (93u+20120801-3.4) unstable; urgency=medium
[ Boyuan Yang ]
diff -Nru ksh-93u+20120801/debian/patches/cve-2019-14868.patch
ksh-93u+20120801/debian/patches/cve-2019-14868.patch
--- ksh-93u+20120801/debian/patches/cve-2019-14868.patch 1969-12-31
19:00:00.000000000 -0500
+++ ksh-93u+20120801/debian/patches/cve-2019-14868.patch 2020-07-12
11:26:07.000000000 -0400
@@ -0,0 +1,97 @@
+Description: CVE-2019-14868
+ Certain environment variables were interpreted as arithmetic
+ expressions on startup, leading to code injection.
+Bug-Debian: https://bugs.debian.org/948989
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1757324
+Author: Kurtis Rader <[email protected]>
+Origin:
https://github.com/ksh93/ksh/commit/593a5a8b7f272c2488c8a800820ae990942946e7
+Date: 2020-05-21
+
+diff --git a/src/cmd/ksh93/sh/arith.c b/src/cmd/ksh93/sh/arith.c
+index b1059421..6361431b 100644
+--- a/src/cmd/ksh93/sh/arith.c
++++ b/src/cmd/ksh93/sh/arith.c
+@@ -513,21 +513,36 @@ Sfdouble_t sh_strnum(register const char *str, char**
ptr, int mode)
+ char base=(shp->inarith?0:10), *last;
+ if(*str==0)
+ {
+- if(ptr)
+- *ptr = (char*)str;
+- return(0);
+- }
+- errno = 0;
+- d = strtonll(str,&last,&base,-1);
+- if(*last || errno)
+- {
+- if(!last || *last!='.' || last[1]!='.')
+- d = strval(shp,str,&last,arith,mode);
+- if(!ptr && *last && mode>0)
+- errormsg(SH_DICT,ERROR_exit(1),e_lexbadchar,*last,str);
++ d = 0.0;
++ last = (char*)str;
++ } else {
++ errno = 0;
++ d = strtonll(str,&last,&base,-1);
++ if (*last && !shp->inarith && sh_isstate(SH_INIT)) {
++ /* This call is to handle "base#value" literals if
we're importing untrusted env vars. */
++ errno = 0;
++ d = strtonll(str, &last, NULL, -1);
++ }
++
++ if(*last || errno)
++ {
++ if (sh_isstate(SH_INIT)) {
++ /*
++ * Initializing means importing untrusted env
vars. The string does not appear to be
++ * a recognized numeric literal, so give up. We
can't safely call strval(), because
++ * that allows arbitrary expressions, causing
security vulnerability CVE-2019-14868.
++ */
++ d = 0.0;
++ } else {
++ if(!last || *last!='.' || last[1]!='.')
++ d = strval(shp,str,&last,arith,mode);
++ if(!ptr && *last && mode>0)
++
errormsg(SH_DICT,ERROR_exit(1),e_lexbadchar,*last,str);
++ }
++ } else if (!d && *str=='-') {
++ d = -0.0;
++ }
+ }
+- else if (!d && *str=='-')
+- d = -0.0;
+ if(ptr)
+ *ptr = last;
+ return(d);
+diff --git a/src/cmd/ksh93/tests/variables.sh
b/src/cmd/ksh93/tests/variables.sh
+index 6eec31b6..9ceb2d1b 100755
+--- a/src/cmd/ksh93/tests/variables.sh
++++ b/src/cmd/ksh93/tests/variables.sh
+@@ -674,4 +674,28 @@ level=$($SHELL -c $'$SHELL -c \'print -r "$SHLVL"\'')
+ $SHELL -c 'unset .sh' 2> /dev/null
+ [[ $? == 1 ]] || err_exit 'unset .sh should return 1'
+
++# ======
++# Verify that importing untrusted environment variables does not allow
evaluating
++# arbitrary expressions, but does recognize all integer literals recognized
by ksh.
++
++expect=8
++actual=$(env SHLVL='7' "$SHELL" -c 'echo $SHLVL')
++[[ $actual == $expect ]] || err_exit "decimal int literal not recognized
(expected '$expect', got '$actual')"
++
++expect=14
++actual=$(env SHLVL='013' "$SHELL" -c 'echo $SHLVL')
++[[ $actual == $expect ]] || err_exit "leading zeros int literal not
recognized (expected '$expect', got '$actual')"
++
++expect=4
++actual=$(env SHLVL='2#11' "$SHELL" -c 'echo $SHLVL')
++[[ $actual == $expect ]] || err_exit "base#value int literal not recognized
(expected '$expect', got '$actual')"
++
++expect=12
++actual=$(env SHLVL='16#B' "$SHELL" -c 'echo $SHLVL')
++[[ $actual == $expect ]] || err_exit "base#value int literal not recognized
(expected '$expect', got '$actual')"
++
++expect=1
++actual=$(env SHLVL="2#11+x[\$(env echo Exploited vuln CVE-2019-14868 >&2)0]"
"$SHELL" -c 'echo $SHLVL' 2>&1)
++[[ $actual == $expect ]] || err_exit "expression allowed on env var import
(expected '$expect', got '$actual')"
++
+ exit $((Errors<125?Errors:125))
diff -Nru ksh-93u+20120801/debian/patches/series
ksh-93u+20120801/debian/patches/series
--- ksh-93u+20120801/debian/patches/series 2018-12-14 02:26:58.000000000
-0500
+++ ksh-93u+20120801/debian/patches/series 2020-07-12 11:26:07.000000000
-0400
@@ -7,3 +7,4 @@
ed.patch
0008-Bug-887743-Fix-build-failures-caused-by-update-in-gl.patch
bug915326.patch
+cve-2019-14868.patch
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 10.5
Hi,
Each of these bugs relates to an update that was included in today's
stable point release.
Regards,
Adam
--- End Message ---
