Your message dated Sat, 01 Aug 2020 12:51:28 +0100 with message-id <43535efb498a168cf81452ca0c326f004f46adc6.camel@adam-barratt.org.uk> and subject line Closing bugs for fixes included in 10.5 point release has caused the Debian Bug report #964986, regarding buster-pu: package ksh/93u+20120801-3.4 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 964986: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964986 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: buster-pu: package ksh/93u+20120801-3.4
- From: Anuradha Weeraman <anuradha@debian.org>
- Date: Mon, 13 Jul 2020 18:56:27 -0400
- Message-id: <20200713225627.GB816226@ninsei.weeraman.com>
Package: release.debian.org Severity: normal Tags: buster User: release.debian.org@packages.debian.org Usertags: pu X-Debbugs-Cc: anuradha@debian.org, carnil@debian.org [ Reason ] Summary of the issue: In ksh version 20120801, a flaw was found in the way it evaluates certain environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. [ Impact ] Services and applications that allow remote unauthenticated attackers to provide one of those environment variables could allow them to exploit this issue remotely, although the risk is deemed low. [ Tests ] There is a test included in the diff that was used to validate the fix. Also, the regression test suite was run to make sure there were no regressions. [ Risks ] The regression test suite has been run before and after the patch to confirm no new regressions. Also, the fix is applied in unstable with no new issues reported. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] * Patch to arith.c that fixes the CVE * Test case for the fix [ Other info ] This was brought up to the security team first, and it was deemed that a DSA is not required by Salvatore Bonaccorso. Anuradha -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64)diff -Nru ksh-93u+20120801/debian/changelog ksh-93u+20120801/debian/changelog --- ksh-93u+20120801/debian/changelog 2018-12-14 02:26:58.000000000 -0500 +++ ksh-93u+20120801/debian/changelog 2020-07-12 11:26:07.000000000 -0400 @@ -1,3 +1,15 @@ +ksh (93u+20120801-4+deb10u1) buster-security; urgency=high + + * Fix for CVE-2019-14868: in ksh version 20120801, a flaw was found + in the way it evaluates certain environment variables. An attacker + could use this flaw to override or bypass environment restrictions + to execute shell commands. Services and applications that allow + remote unauthenticated attackers to provide one of those + environment variables could allow them to exploit this issue + remotely. (Closes: #948989) + + -- Anuradha Weeraman <anuradha@debian.org> Sun, 12 Jul 2020 11:26:07 -0400 + ksh (93u+20120801-3.4) unstable; urgency=medium [ Boyuan Yang ] diff -Nru ksh-93u+20120801/debian/patches/cve-2019-14868.patch ksh-93u+20120801/debian/patches/cve-2019-14868.patch --- ksh-93u+20120801/debian/patches/cve-2019-14868.patch 1969-12-31 19:00:00.000000000 -0500 +++ ksh-93u+20120801/debian/patches/cve-2019-14868.patch 2020-07-12 11:26:07.000000000 -0400 @@ -0,0 +1,97 @@ +Description: CVE-2019-14868 + Certain environment variables were interpreted as arithmetic + expressions on startup, leading to code injection. +Bug-Debian: https://bugs.debian.org/948989 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1757324 +Author: Kurtis Rader <krader@skepticism.us> +Origin: https://github.com/ksh93/ksh/commit/593a5a8b7f272c2488c8a800820ae990942946e7 +Date: 2020-05-21 + +diff --git a/src/cmd/ksh93/sh/arith.c b/src/cmd/ksh93/sh/arith.c +index b1059421..6361431b 100644 +--- a/src/cmd/ksh93/sh/arith.c ++++ b/src/cmd/ksh93/sh/arith.c +@@ -513,21 +513,36 @@ Sfdouble_t sh_strnum(register const char *str, char** ptr, int mode) + char base=(shp->inarith?0:10), *last; + if(*str==0) + { +- if(ptr) +- *ptr = (char*)str; +- return(0); +- } +- errno = 0; +- d = strtonll(str,&last,&base,-1); +- if(*last || errno) +- { +- if(!last || *last!='.' || last[1]!='.') +- d = strval(shp,str,&last,arith,mode); +- if(!ptr && *last && mode>0) +- errormsg(SH_DICT,ERROR_exit(1),e_lexbadchar,*last,str); ++ d = 0.0; ++ last = (char*)str; ++ } else { ++ errno = 0; ++ d = strtonll(str,&last,&base,-1); ++ if (*last && !shp->inarith && sh_isstate(SH_INIT)) { ++ /* This call is to handle "base#value" literals if we're importing untrusted env vars. */ ++ errno = 0; ++ d = strtonll(str, &last, NULL, -1); ++ } ++ ++ if(*last || errno) ++ { ++ if (sh_isstate(SH_INIT)) { ++ /* ++ * Initializing means importing untrusted env vars. The string does not appear to be ++ * a recognized numeric literal, so give up. We can't safely call strval(), because ++ * that allows arbitrary expressions, causing security vulnerability CVE-2019-14868. ++ */ ++ d = 0.0; ++ } else { ++ if(!last || *last!='.' || last[1]!='.') ++ d = strval(shp,str,&last,arith,mode); ++ if(!ptr && *last && mode>0) ++ errormsg(SH_DICT,ERROR_exit(1),e_lexbadchar,*last,str); ++ } ++ } else if (!d && *str=='-') { ++ d = -0.0; ++ } + } +- else if (!d && *str=='-') +- d = -0.0; + if(ptr) + *ptr = last; + return(d); +diff --git a/src/cmd/ksh93/tests/variables.sh b/src/cmd/ksh93/tests/variables.sh +index 6eec31b6..9ceb2d1b 100755 +--- a/src/cmd/ksh93/tests/variables.sh ++++ b/src/cmd/ksh93/tests/variables.sh +@@ -674,4 +674,28 @@ level=$($SHELL -c $'$SHELL -c \'print -r "$SHLVL"\'') + $SHELL -c 'unset .sh' 2> /dev/null + [[ $? == 1 ]] || err_exit 'unset .sh should return 1' + ++# ====== ++# Verify that importing untrusted environment variables does not allow evaluating ++# arbitrary expressions, but does recognize all integer literals recognized by ksh. ++ ++expect=8 ++actual=$(env SHLVL='7' "$SHELL" -c 'echo $SHLVL') ++[[ $actual == $expect ]] || err_exit "decimal int literal not recognized (expected '$expect', got '$actual')" ++ ++expect=14 ++actual=$(env SHLVL='013' "$SHELL" -c 'echo $SHLVL') ++[[ $actual == $expect ]] || err_exit "leading zeros int literal not recognized (expected '$expect', got '$actual')" ++ ++expect=4 ++actual=$(env SHLVL='2#11' "$SHELL" -c 'echo $SHLVL') ++[[ $actual == $expect ]] || err_exit "base#value int literal not recognized (expected '$expect', got '$actual')" ++ ++expect=12 ++actual=$(env SHLVL='16#B' "$SHELL" -c 'echo $SHLVL') ++[[ $actual == $expect ]] || err_exit "base#value int literal not recognized (expected '$expect', got '$actual')" ++ ++expect=1 ++actual=$(env SHLVL="2#11+x[\$(env echo Exploited vuln CVE-2019-14868 >&2)0]" "$SHELL" -c 'echo $SHLVL' 2>&1) ++[[ $actual == $expect ]] || err_exit "expression allowed on env var import (expected '$expect', got '$actual')" ++ + exit $((Errors<125?Errors:125)) diff -Nru ksh-93u+20120801/debian/patches/series ksh-93u+20120801/debian/patches/series --- ksh-93u+20120801/debian/patches/series 2018-12-14 02:26:58.000000000 -0500 +++ ksh-93u+20120801/debian/patches/series 2020-07-12 11:26:07.000000000 -0400 @@ -7,3 +7,4 @@ ed.patch 0008-Bug-887743-Fix-build-failures-caused-by-update-in-gl.patch bug915326.patch +cve-2019-14868.patchAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 931678-done@bugs.debian.org, 947351-done@bugs.debian.org, 947758-done@bugs.debian.org, 948652-done@bugs.debian.org, 953763-done@bugs.debian.org, 954020-done@bugs.debian.org, 954716-done@bugs.debian.org, 959661-done@bugs.debian.org, 959890-done@bugs.debian.org, 960020-done@bugs.debian.org, 960376-done@bugs.debian.org, 960395-done@bugs.debian.org, 960575-done@bugs.debian.org, 960600-done@bugs.debian.org, 960804-done@bugs.debian.org, 960806-done@bugs.debian.org, 960836-done@bugs.debian.org, 960885-done@bugs.debian.org, 960974-done@bugs.debian.org, 961019-done@bugs.debian.org, 961212-done@bugs.debian.org, 961275-done@bugs.debian.org, 961379-done@bugs.debian.org, 961439-done@bugs.debian.org, 961441-done@bugs.debian.org, 961514-done@bugs.debian.org, 961803-done@bugs.debian.org, 961833-done@bugs.debian.org, 961921-done@bugs.debian.org, 961936-done@bugs.debian.org, 961944-done@bugs.debian.org, 961978-done@bugs.debian.org, 962059-done@bugs.debian.org, 962067-done@bugs.debian.org, 962160-done@bugs.debian.org, 962227-done@bugs.debian.org, 962237-done@bugs.debian.org, 962255-done@bugs.debian.org, 962306-done@bugs.debian.org, 962982-done@bugs.debian.org, 963024-done@bugs.debian.org, 963267-done@bugs.debian.org, 963591-done@bugs.debian.org, 963595-done@bugs.debian.org, 963694-done@bugs.debian.org, 963796-done@bugs.debian.org, 963940-done@bugs.debian.org, 963986-done@bugs.debian.org, 964146-done@bugs.debian.org, 964158-done@bugs.debian.org, 964228-done@bugs.debian.org, 964338-done@bugs.debian.org, 964346-done@bugs.debian.org, 964350-done@bugs.debian.org, 964397-done@bugs.debian.org, 964412-done@bugs.debian.org, 964417-done@bugs.debian.org, 964422-done@bugs.debian.org, 964435-done@bugs.debian.org, 964574-done@bugs.debian.org, 964589-done@bugs.debian.org, 964712-done@bugs.debian.org, 964714-done@bugs.debian.org, 964715-done@bugs.debian.org, 964726-done@bugs.debian.org, 964740-done@bugs.debian.org, 964792-done@bugs.debian.org, 964807-done@bugs.debian.org, 964808-done@bugs.debian.org, 964860-done@bugs.debian.org, 964868-done@bugs.debian.org, 964898-done@bugs.debian.org, 964986-done@bugs.debian.org, 965116-done@bugs.debian.org, 965117-done@bugs.debian.org, 965257-done@bugs.debian.org, 965377-done@bugs.debian.org, 966151-done@bugs.debian.org, 966213-done@bugs.debian.org, 966247-done@bugs.debian.org, 966272-done@bugs.debian.org, 966310-done@bugs.debian.org
- Subject: Closing bugs for fixes included in 10.5 point release
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 01 Aug 2020 12:51:28 +0100
- Message-id: <43535efb498a168cf81452ca0c326f004f46adc6.camel@adam-barratt.org.uk>
Package: release.debian.org Version: 10.5 Hi, Each of these bugs relates to an update that was included in today's stable point release. Regards, Adam
--- End Message ---