CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2020/02/21 11:21:23
Modified files:
bin/ksh : var.c
Log message:
Enforce that TMOUT is an integer literal to prevent command execution from
the environment at shell initialization time. During startup, ksh calls
'eval typeset -i TMOUT="${TMOUT:-0}"'. which allows command injection via
arithmetic expansion, e.g., by setting TMOUT to 'x[`/bin/echo Hi >&2`]'.
Problem noted by Andras Farkas and tj, inspired by a similar issue in
AT&T's ksh. Tested in snaps for two weeks.
"go for it" deraadt
