Bug#964986: buster-pu: package ksh/93u+20120801-3.4

To: Anuradha Weeraman <anuradha@debian.org>, 964986@bugs.debian.org
Subject: Bug#964986: buster-pu: package ksh/93u+20120801-3.4
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 14 Jul 2020 06:16:30 +0200
Message-id: <[🔎] 20200714041630.GA2852@lorien.valinor.li>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 964986@bugs.debian.org
In-reply-to: <[🔎] 20200713225627.GB816226@ninsei.weeraman.com>
References: <[🔎] 20200713225627.GB816226@ninsei.weeraman.com> <[🔎] 20200713225627.GB816226@ninsei.weeraman.com>

Hi Anuradha,

[disclaimer: not a member of the release team, so not an authoritative
reply]

On Mon, Jul 13, 2020 at 06:56:27PM -0400, Anuradha Weeraman wrote:
> Package: release.debian.org
> Severity: normal
> Tags: buster
> User: release.debian.org@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: anuradha@debian.org, carnil@debian.org
> 
> [ Reason ]
> Summary of the issue: In ksh version 20120801, a flaw was found in the
> way it evaluates certain environment variables. An attacker could use
> this flaw to override or bypass environment restrictions to execute
> shell commands.
> 
> [ Impact ]
> Services and applications that allow remote unauthenticated
> attackers to provide one of those environment variables could allow them
> to exploit this issue remotely, although the risk is deemed low.
> 
> [ Tests ]
> There is a test included in the diff that was used to validate the
> fix. Also, the regression test suite was run to make sure there were
> no regressions.
> 
> [ Risks ]
> The regression test suite has been run before and after the patch to
> confirm no new regressions. Also, the fix is applied in unstable with no
> new issues reported.
> 
> [ Checklist ]
> [X] *all* changes are documented in the d/changelog
> [X] I reviewed all changes and I approve them
> [X] attach debdiff against the package in (old)stable
> [X] the issue is verified as fixed in unstable
> 
> [ Changes ]
> * Patch to arith.c that fixes the CVE
> * Test case for the fix
> 
> [ Other info ]
> This was brought up to the security team first, and it was deemed that a
> DSA is not required by Salvatore Bonaccorso.

Small change is needed in the debdiff:

> diff -Nru ksh-93u+20120801/debian/changelog ksh-93u+20120801/debian/changelog
> --- ksh-93u+20120801/debian/changelog	2018-12-14 02:26:58.000000000 -0500
> +++ ksh-93u+20120801/debian/changelog	2020-07-12 11:26:07.000000000 -0400
> @@ -1,3 +1,15 @@
> +ksh (93u+20120801-4+deb10u1) buster-security; urgency=high
 
The target distribution would need to be 'buster' in this case of the
upload for the point release.

Thanks for your work on this update,

Regards,
Salvatore

Reply to:

Follow-Ups:
- Bug#964986: buster-pu: package ksh/93u+20120801-3.4
  - From: Anuradha Weeraman <anuradha@debian.org>

References:
- Bug#964986: buster-pu: package ksh/93u+20120801-3.4
  - From: Anuradha Weeraman <anuradha@debian.org>

Prev by Date: Bug#964986: buster-pu: package ksh/93u+20120801-3.4
Next by Date: Bug#950488: buster-pu: package kronosnet/1.8-2
Previous by thread: Bug#964986: buster-pu: package ksh/93u+20120801-3.4
Next by thread: Bug#964986: buster-pu: package ksh/93u+20120801-3.4
Index(es):
- Date
- Thread