Re: ksh / CVE-2019-14868
Hi
An attack is possible in the following cases:
1) The attacker can login
2) The attacker is not supposed to execute any command, just run the
command that use ksh as interpreter.
3) The attacker can trick ksh to import environment variables from the
attacker (for example in a login shell like provided through ssh)
I'd say that this is a rather rare case, but sure fixing it is better
than not to.
Github is up now but essentially the patch do what the description of
the vulnerability tells. It only allow integers.
Best regards
// Ola
On Mon, 13 Jul 2020 at 09:55, Sylvain Beucler <beuc@beuc.net> wrote:
>
> Hi,
>
> On 13/07/2020 00:01, Brian May wrote:
> > Is dla-needed.txt for Jessie or Stretch now?
>
> Stretch.
>
> > ksh was removed from dla-needed.txt for Stretch and classified "minor":
> >
> > https://salsa.debian.org/security-tracker-team/security-tracker/commit/87322fcf
> >
> > Then it was added again:
> >
> > https://salsa.debian.org/security-tracker-team/security-tracker/commit/59a9cd9dca3afc830fea869d12baf2f3d7c21126
> >
> > Should we mark it as ignored in Stretch also? Or maybe the reason (as
> > given in the commit message when ksh was first removed) was wrong?
> >
> > https://salsa.debian.org/security-tracker-team/security-tracker/commit/b72cc677e719d37f5f3378d616d9cb53315db927
>
> github is currently down, so I can't review the patch, but it sounds
> like we don't know for sure the full impact of the vulnerability and
> would be better off fixing it.
>
> Cheers!
> Sylvain
>
--
--- Inguza Technology AB --- MSc in Information Technology ----
| ola@inguza.com opal@debian.org |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
---------------------------------------------------------------
Reply to: