[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#964986: marked as done (buster-pu: package ksh/93u+20120801-3.4)

Your message dated Sat, 01 Aug 2020 12:51:28 +0100
with message-id <43535efb498a168cf81452ca0c326f004f46adc6.camel@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 10.5 point release
has caused the Debian Bug report #964986,
regarding buster-pu: package ksh/93u+20120801-3.4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
964986: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964986
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: anuradha@debian.org, carnil@debian.org

[ Reason ]
Summary of the issue: In ksh version 20120801, a flaw was found in the
way it evaluates certain environment variables. An attacker could use
this flaw to override or bypass environment restrictions to execute
shell commands.

[ Impact ]
Services and applications that allow remote unauthenticated
attackers to provide one of those environment variables could allow them
to exploit this issue remotely, although the risk is deemed low.

[ Tests ]
There is a test included in the diff that was used to validate the
fix. Also, the regression test suite was run to make sure there were
no regressions.

[ Risks ]
The regression test suite has been run before and after the patch to
confirm no new regressions. Also, the fix is applied in unstable with no
new issues reported.

[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable

[ Changes ]
* Patch to arith.c that fixes the CVE
* Test case for the fix

[ Other info ]
This was brought up to the security team first, and it was deemed that a
DSA is not required by Salvatore Bonaccorso.

Anuradha

-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

diff -Nru ksh-93u+20120801/debian/changelog ksh-93u+20120801/debian/changelog
--- ksh-93u+20120801/debian/changelog	2018-12-14 02:26:58.000000000 -0500
+++ ksh-93u+20120801/debian/changelog	2020-07-12 11:26:07.000000000 -0400
@@ -1,3 +1,15 @@
+ksh (93u+20120801-4+deb10u1) buster-security; urgency=high
+
+  * Fix for CVE-2019-14868: in ksh version 20120801, a flaw was found
+    in the way it evaluates certain environment variables. An attacker
+    could use this flaw to override or bypass environment restrictions
+    to execute shell commands. Services and applications that allow
+    remote unauthenticated attackers to provide one of those
+    environment variables could allow them to exploit this issue
+    remotely. (Closes: #948989)
+
+ -- Anuradha Weeraman <anuradha@debian.org>  Sun, 12 Jul 2020 11:26:07 -0400
+
 ksh (93u+20120801-3.4) unstable; urgency=medium
 
   [ Boyuan Yang ]
diff -Nru ksh-93u+20120801/debian/patches/cve-2019-14868.patch ksh-93u+20120801/debian/patches/cve-2019-14868.patch
--- ksh-93u+20120801/debian/patches/cve-2019-14868.patch	1969-12-31 19:00:00.000000000 -0500
+++ ksh-93u+20120801/debian/patches/cve-2019-14868.patch	2020-07-12 11:26:07.000000000 -0400
@@ -0,0 +1,97 @@
+Description: CVE-2019-14868
+ Certain environment variables were interpreted as arithmetic
+ expressions on startup, leading to code injection.
+Bug-Debian: https://bugs.debian.org/948989
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1757324
+Author: Kurtis Rader <krader@skepticism.us>
+Origin: https://github.com/ksh93/ksh/commit/593a5a8b7f272c2488c8a800820ae990942946e7
+Date: 2020-05-21
+
+diff --git a/src/cmd/ksh93/sh/arith.c b/src/cmd/ksh93/sh/arith.c
+index b1059421..6361431b 100644
+--- a/src/cmd/ksh93/sh/arith.c
++++ b/src/cmd/ksh93/sh/arith.c
+@@ -513,21 +513,36 @@ Sfdouble_t sh_strnum(register const char *str, char** ptr, int mode)
+ 	char base=(shp->inarith?0:10), *last;
+ 	if(*str==0)
+ 	{
+-		if(ptr)
+-			*ptr = (char*)str;
+-		return(0);
+-	}
+-	errno = 0;
+-	d = strtonll(str,&last,&base,-1);
+-	if(*last || errno)
+-	{
+-		if(!last || *last!='.' || last[1]!='.')
+-			d = strval(shp,str,&last,arith,mode);
+-		if(!ptr && *last && mode>0)
+-			errormsg(SH_DICT,ERROR_exit(1),e_lexbadchar,*last,str);
++		d = 0.0;
++		last = (char*)str;
++	} else {
++		errno = 0;
++		d = strtonll(str,&last,&base,-1);
++		if (*last && !shp->inarith && sh_isstate(SH_INIT)) {
++			/* This call is to handle "base#value" literals if we're importing untrusted env vars. */
++			errno = 0;
++			d = strtonll(str, &last, NULL, -1);
++		}
++
++		if(*last || errno)
++		{
++			if (sh_isstate(SH_INIT)) {
++				/*
++				 * Initializing means importing untrusted env vars. The string does not appear to be
++				 * a recognized numeric literal, so give up. We can't safely call strval(), because
++				 * that allows arbitrary expressions, causing security vulnerability CVE-2019-14868.
++				 */
++				d = 0.0;
++			} else {
++				if(!last || *last!='.' || last[1]!='.')
++					d = strval(shp,str,&last,arith,mode);
++				if(!ptr && *last && mode>0)
++					errormsg(SH_DICT,ERROR_exit(1),e_lexbadchar,*last,str);
++			}
++		} else if (!d && *str=='-') {
++			d = -0.0;
++		}
+ 	}
+-	else if (!d && *str=='-')
+-		d = -0.0;
+ 	if(ptr)
+ 		*ptr = last;
+ 	return(d);
+diff --git a/src/cmd/ksh93/tests/variables.sh b/src/cmd/ksh93/tests/variables.sh
+index 6eec31b6..9ceb2d1b 100755
+--- a/src/cmd/ksh93/tests/variables.sh
++++ b/src/cmd/ksh93/tests/variables.sh
+@@ -674,4 +674,28 @@ level=$($SHELL -c $'$SHELL -c \'print -r "$SHLVL"\'')
+ $SHELL -c 'unset .sh' 2> /dev/null
+ [[ $? == 1 ]] || err_exit 'unset .sh should return 1'
+ 
++# ======
++# Verify that importing untrusted environment variables does not allow evaluating
++# arbitrary expressions, but does recognize all integer literals recognized by ksh.
++
++expect=8
++actual=$(env SHLVL='7' "$SHELL" -c 'echo $SHLVL')
++[[ $actual == $expect ]] || err_exit "decimal int literal not recognized (expected '$expect', got '$actual')"
++
++expect=14
++actual=$(env SHLVL='013' "$SHELL" -c 'echo $SHLVL')
++[[ $actual == $expect ]] || err_exit "leading zeros int literal not recognized (expected '$expect', got '$actual')"
++
++expect=4
++actual=$(env SHLVL='2#11' "$SHELL" -c 'echo $SHLVL')
++[[ $actual == $expect ]] || err_exit "base#value int literal not recognized (expected '$expect', got '$actual')"
++
++expect=12
++actual=$(env SHLVL='16#B' "$SHELL" -c 'echo $SHLVL')
++[[ $actual == $expect ]] || err_exit "base#value int literal not recognized (expected '$expect', got '$actual')"
++
++expect=1
++actual=$(env SHLVL="2#11+x[\$(env echo Exploited vuln CVE-2019-14868 >&2)0]" "$SHELL" -c 'echo $SHLVL' 2>&1)
++[[ $actual == $expect ]] || err_exit "expression allowed on env var import (expected '$expect', got '$actual')"
++
+ exit $((Errors<125?Errors:125))
diff -Nru ksh-93u+20120801/debian/patches/series ksh-93u+20120801/debian/patches/series
--- ksh-93u+20120801/debian/patches/series	2018-12-14 02:26:58.000000000 -0500
+++ ksh-93u+20120801/debian/patches/series	2020-07-12 11:26:07.000000000 -0400
@@ -7,3 +7,4 @@
 ed.patch
 0008-Bug-887743-Fix-build-failures-caused-by-update-in-gl.patch
 bug915326.patch
+cve-2019-14868.patch

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.5

Hi,

Each of these bugs relates to an update that was included in today's
stable point release.

Regards,

Adam

--- End Message ---
Reply to: