Re: ksh / CVE-2019-14868
https://en.wikipedia.org/wiki/Shellshock_%28software_bug%29 :)
- Sylvain
On 13/07/2020 10:39, Ola Lundqvist wrote:
> Hi
>
> One more note. The command will be executed as the authenticated user.
> So there is no privilege escalation.
> But this may be used in combination with some privilege escalation though.
>
> // Ola
>
> On Mon, 13 Jul 2020 at 10:37, Ola Lundqvist <ola@inguza.com> wrote:
>>
>> Hi
>>
>> An attack is possible in the following cases:
>> 1) The attacker can login
>> 2) The attacker is not supposed to execute any command, just run the
>> command that use ksh as interpreter.
>> 3) The attacker can trick ksh to import environment variables from the
>> attacker (for example in a login shell like provided through ssh)
>>
>> I'd say that this is a rather rare case, but sure fixing it is better
>> than not to.
>>
>> Github is up now but essentially the patch do what the description of
>> the vulnerability tells. It only allow integers.
>>
>> Best regards
>>
>> // Ola
>>
>> On Mon, 13 Jul 2020 at 09:55, Sylvain Beucler <beuc@beuc.net> wrote:
>>>
>>> Hi,
>>>
>>> On 13/07/2020 00:01, Brian May wrote:
>>>> Is dla-needed.txt for Jessie or Stretch now?
>>>
>>> Stretch.
>>>
>>>> ksh was removed from dla-needed.txt for Stretch and classified "minor":
>>>>
>>>> https://salsa.debian.org/security-tracker-team/security-tracker/commit/87322fcf
>>>>
>>>> Then it was added again:
>>>>
>>>> https://salsa.debian.org/security-tracker-team/security-tracker/commit/59a9cd9dca3afc830fea869d12baf2f3d7c21126
>>>>
>>>> Should we mark it as ignored in Stretch also? Or maybe the reason (as
>>>> given in the commit message when ksh was first removed) was wrong?
>>>>
>>>> https://salsa.debian.org/security-tracker-team/security-tracker/commit/b72cc677e719d37f5f3378d616d9cb53315db927
>>>
>>> github is currently down, so I can't review the patch, but it sounds
>>> like we don't know for sure the full impact of the vulnerability and
>>> would be better off fixing it.
>>>
>>> Cheers!
>>> Sylvain
Reply to: