Re: ksh / CVE-2019-14868

To: Ola Lundqvist <ola@inguza.com>
Cc: Sylvain Beucler <beuc@beuc.net>, Debian LTS <debian-lts@lists.debian.org>
Subject: Re: ksh / CVE-2019-14868
From: Ola Lundqvist <ola@inguza.com>
Date: Mon, 13 Jul 2020 10:39:02 +0200
Message-id: <[🔎] CABY6=0kJ28VGAYNFUcb2GuOaG4BJiZxLt8ykrTswkr6Ugs14GQ@mail.gmail.com>
In-reply-to: <[🔎] CABY6=0netvGj8DoVDJX1fA6tmMgtpQ+iLfhb7waYHv9XwLy1vA@mail.gmail.com>
References: <[🔎] 87r1tgz943.fsf@silverfish.pri> <[🔎] 37aa9ce4-2264-71a2-6e81-72b168094c3d@beuc.net> <[🔎] CABY6=0netvGj8DoVDJX1fA6tmMgtpQ+iLfhb7waYHv9XwLy1vA@mail.gmail.com>

Hi

One more note. The command will be executed as the authenticated user.
So there is no privilege escalation.
But this may be used in combination with some privilege escalation though.

// Ola

On Mon, 13 Jul 2020 at 10:37, Ola Lundqvist <ola@inguza.com> wrote:
>
> Hi
>
> An attack is possible in the following cases:
> 1) The attacker can login
> 2) The attacker is not supposed to execute any command, just run the
> command that use ksh as interpreter.
> 3) The attacker can trick ksh to import environment variables from the
> attacker (for example in a login shell like provided through ssh)
>
> I'd say that this is a rather rare case, but sure fixing it is better
> than not to.
>
> Github is up now but essentially the patch do what the description of
> the vulnerability tells. It only allow integers.
>
> Best regards
>
> // Ola
>
> On Mon, 13 Jul 2020 at 09:55, Sylvain Beucler <beuc@beuc.net> wrote:
> >
> > Hi,
> >
> > On 13/07/2020 00:01, Brian May wrote:
> > > Is dla-needed.txt for Jessie or Stretch now?
> >
> > Stretch.
> >
> > > ksh was removed from dla-needed.txt for Stretch and classified "minor":
> > >
> > > https://salsa.debian.org/security-tracker-team/security-tracker/commit/87322fcf
> > >
> > > Then it was added again:
> > >
> > > https://salsa.debian.org/security-tracker-team/security-tracker/commit/59a9cd9dca3afc830fea869d12baf2f3d7c21126
> > >
> > > Should we mark it as ignored in Stretch also? Or maybe the reason (as
> > > given in the commit message when ksh was first removed) was wrong?
> > >
> > > https://salsa.debian.org/security-tracker-team/security-tracker/commit/b72cc677e719d37f5f3378d616d9cb53315db927
> >
> > github is currently down, so I can't review the patch, but it sounds
> > like we don't know for sure the full impact of the vulnerability and
> > would be better off fixing it.
> >
> > Cheers!
> > Sylvain
> >
>
>
> --
>  --- Inguza Technology AB --- MSc in Information Technology ----
> |  ola@inguza.com                    opal@debian.org            |
> |  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
>  ---------------------------------------------------------------



-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
 ---------------------------------------------------------------

Reply to:

Follow-Ups:
- Re: ksh / CVE-2019-14868
  - From: Sylvain Beucler <beuc@beuc.net>
- Re: ksh / CVE-2019-14868
  - From: Ola Lundqvist <ola@inguza.com>

References:
- ksh / CVE-2019-14868
  - From: Brian May <bam@debian.org>
- Re: ksh / CVE-2019-14868
  - From: Sylvain Beucler <beuc@beuc.net>
- Re: ksh / CVE-2019-14868
  - From: Ola Lundqvist <ola@inguza.com>

Prev by Date: Re: ksh / CVE-2019-14868
Next by Date: Re: ksh / CVE-2019-14868
Previous by thread: Re: ksh / CVE-2019-14868
Next by thread: Re: ksh / CVE-2019-14868
Index(es):
- Date
- Thread