2014-10-03 21:46 GMT+02:00 Thorsten Glaser <[email protected]>: > > Hi everyone, > > let me quote from what I wrote for the website: > > The [63]MirBSD Korn Shell has got a new security and maintenance > release. > > This release fixes one [64]mksh(1)-specific issue when importing > values from the environment. The issue has been detected by the > main developer during careful code review, looking at whether the > shell is affected by the recent “shellshock” bugs in GNU bash, > many of which also affect AT&T ksh93. (The answer is: no, none of > these bugs affects mksh.) Stephane Chanzelas kindly provided me > with an in-depth look at how this can be exploited. The issue has > not got a CVE identifier because it was identified as low-risk. > The problem here is that the environment import filter mistakenly > accepted variables named “FOO+” (for any FOO), which are, by > general [65]environ(7) syntax, distinct from “FOO”, and treated > them as appending to the value of “FOO”. An attacker who already > had access to the environment could so append values to parameters > passed through programs (including [66]sudo(8) or setuid) to shell > scripts, including indirectly, after those programs intended to > sanitise the environment, e.g. invalidating the last $PATH > component. It could also be used to circumvent sudo’s environment > filter which protected against the vulnerability of an unpatched > GNU bash being exploited. > > tl;dr: [67]mksh not affected by any shellshock bugs, but we found > a bug of our own, with low impact, which does not affect any other > shell, during careful code review. Please do update to mksh R50c > quickly. > > Users’ upgrade caveats: > > R50c: $RANDOM is no longer exported. Field splitting has improved. > This version fixes one security issue of low importance > ([194]details) which is mksh-specific, and mksh is not vulnerable > to all those GNU bash bugs, some of which affect AT&T ksh93 as > well. > > Packagers’ upgrade notes: > > R50c: New HAVE_ISSETUGID define. The example Debian > /etc/skel/.mkshrc moved. Security release. [126]Details. > > Changelog: > > R50c is a security fix release: > * [tg] Know more rare signals when generating sys_signame[] > replacement > * [tg] OpenBSD sync (mostly RCSID only) > * [tg] Document HISTSIZE limit; found by luigi_345 on IRC > * [zacts] Fix link to Debian .mkshrc > * [tg] Cease exporting $RANDOM (Debian #760857) > * [tg] Fix C99 compatibility > * [tg] Work around klibc bug causing a coredump (Debian #763842) > * [tg] Use [197]issetugid(2) as additional check if we are > FPRIVILEGED > * [tg] SECURITY: do not permit += from environment > * [tg] Fix more field splitting bugs reported by Stephane > Chazelas and mikeserv; document current status wrt. ambiguous > ones as testcases too > > bye, > //mirabilos
Hi, Thanks for clarification about shellshock bugs. For FreeBSD users, diff [1] is available in our bug tracker. It's waiting maintainer feedback. [1] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=194127 Regards > -- > 18:47⎜<mirabilos:#!/bin/mksh> well channels… you see, I see everything in the > same window anyway 18:48⎜<xpt:#!/bin/mksh> i know, you have some kind of > telnet with automatic pong 18:48⎜<mirabilos:#!/bin/mksh> haha, yes :D > 18:49⎜<mirabilos:#!/bin/mksh> though that's more tinyirc – sirc is more comfy -- olivier
