[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ksh / CVE-2019-14868

Hi again

Ah one more thing. In the jessie version (I was the one marking it as
ignored) I concluded that any arithmetic expression could be executed
but not any expression. This means that you could run for example
10+4+5 (evaluated to 19) but not $(/bin/bash). I suggest checking if
the stretch version has the same conclusion. Because if that is the
case, there is no point in fixing it.

// Ola

On Mon, 13 Jul 2020 at 10:39, Ola Lundqvist <ola@inguza.com> wrote:
>
> Hi
>
> One more note. The command will be executed as the authenticated user.
> So there is no privilege escalation.
> But this may be used in combination with some privilege escalation though.
>
> // Ola
>
> On Mon, 13 Jul 2020 at 10:37, Ola Lundqvist <ola@inguza.com> wrote:
> >
> > Hi
> >
> > An attack is possible in the following cases:
> > 1) The attacker can login
> > 2) The attacker is not supposed to execute any command, just run the
> > command that use ksh as interpreter.
> > 3) The attacker can trick ksh to import environment variables from the
> > attacker (for example in a login shell like provided through ssh)
> >
> > I'd say that this is a rather rare case, but sure fixing it is better
> > than not to.
> >
> > Github is up now but essentially the patch do what the description of
> > the vulnerability tells. It only allow integers.
> >
> > Best regards
> >
> > // Ola
> >
> > On Mon, 13 Jul 2020 at 09:55, Sylvain Beucler <beuc@beuc.net> wrote:
> > >
> > > Hi,
> > >
> > > On 13/07/2020 00:01, Brian May wrote:
> > > > Is dla-needed.txt for Jessie or Stretch now?
> > >
> > > Stretch.
> > >
> > > > ksh was removed from dla-needed.txt for Stretch and classified "minor":
> > > >
> > > > https://salsa.debian.org/security-tracker-team/security-tracker/commit/87322fcf
> > > >
> > > > Then it was added again:
> > > >
> > > > https://salsa.debian.org/security-tracker-team/security-tracker/commit/59a9cd9dca3afc830fea869d12baf2f3d7c21126
> > > >
> > > > Should we mark it as ignored in Stretch also? Or maybe the reason (as
> > > > given in the commit message when ksh was first removed) was wrong?
> > > >
> > > > https://salsa.debian.org/security-tracker-team/security-tracker/commit/b72cc677e719d37f5f3378d616d9cb53315db927
> > >
> > > github is currently down, so I can't review the patch, but it sounds
> > > like we don't know for sure the full impact of the vulnerability and
> > > would be better off fixing it.
> > >
> > > Cheers!
> > > Sylvain
> > >
> >
> >
> > --
> >  --- Inguza Technology AB --- MSc in Information Technology ----
> > |  ola@inguza.com                    opal@debian.org            |
> > |  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
> >  ---------------------------------------------------------------
>
>
>
> --
>  --- Inguza Technology AB --- MSc in Information Technology ----
> |  ola@inguza.com                    opal@debian.org            |
> |  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
>  ---------------------------------------------------------------



-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
 ---------------------------------------------------------------
Reply to: