[arch-commits] Commit in ksh/trunk (CVE-2019-14868.patch PKGBUILD)
Eli Schwartz
eschwartz at archlinux.org
Fri Feb 7 19:54:06 UTC 2020
Date: Friday, February 7, 2020 @ 19:54:06
Author: eschwartz
Revision: 563757
upgpkg: ksh 2020.0.0-2: backport security patch
Added:
ksh/trunk/CVE-2019-14868.patch
Modified:
ksh/trunk/PKGBUILD
----------------------+
CVE-2019-14868.patch | 94 +++++++++++++++++++++++++++++++++++++++++++++++++
PKGBUILD | 13 ++++--
2 files changed, 103 insertions(+), 4 deletions(-)
Added: CVE-2019-14868.patch
===================================================================
--- CVE-2019-14868.patch (rev 0)
+++ CVE-2019-14868.patch 2020-02-07 19:54:06 UTC (rev 563757)
@@ -0,0 +1,94 @@
+From c5ed0136a7b6727332ed1ac598c176a5e0087683 Mon Sep 17 00:00:00 2001
+From: Kurtis Rader <krader at skepticism.us>
+Date: Thu, 12 Dec 2019 18:46:50 -0800
+Subject: [PATCH] Harden env var imports
+
+(cherry picked from commit c7de8b641266bac7c77942239ac659edfee9ecd2)
+---
+ src/cmd/ksh93/sh/arith.c | 37 ++++++++++++++++++++++-----------
+ src/cmd/ksh93/tests/subshell.sh | 23 ++++++++++++++++++++
+ 2 files changed, 48 insertions(+), 12 deletions(-)
+
+diff --git a/src/cmd/ksh93/sh/arith.c b/src/cmd/ksh93/sh/arith.c
+index 5ca3fce4..53eb45ea 100644
+--- a/src/cmd/ksh93/sh/arith.c
++++ b/src/cmd/ksh93/sh/arith.c
+@@ -567,19 +567,32 @@ Sfdouble_t sh_strnum(Shell_t *shp, const char *str, char **ptr, int mode) {
+ char *last;
+
+ if (*str == 0) {
+- if (ptr) *ptr = (char *)str;
+- return 0;
+- }
+- errno = 0;
+- d = number(str, &last, shp->inarith ? 0 : 10, NULL);
+- if (*last) {
+- if (*last != '.' || last[1] != '.') {
+- d = strval(shp, str, &last, arith, mode);
+- Varsubscript = true;
++ d = 0.0;
++ last = (char *)str;
++ } else {
++ d = number(str, &last, shp->inarith ? 0 : 10, NULL);
++ if (*last && !shp->inarith && sh_isstate(shp, SH_INIT)) {
++ // This call is to handle "base#value" literals if we're importing untrusted env vars.
++ d = number(str, &last, 0, NULL);
++ }
++ if (*last) {
++ if (sh_isstate(shp, SH_INIT)) {
++ // Initializing means importing untrusted env vars. Since the string does not appear
++ // to be a recognized numeric literal give up. We can't safely call strval() since
++ // that allows arbitrary expressions which would create a security vulnerability.
++ d = 0.0;
++ } else {
++ if (*last != '.' || last[1] != '.') {
++ d = strval(shp, str, &last, arith, mode);
++ Varsubscript = true;
++ }
++ if (!ptr && *last && mode > 0) {
++ errormsg(SH_DICT, ERROR_exit(1), e_lexbadchar, *last, str);
++ }
++ }
++ } else if (d == 0.0 && *str == '-') {
++ d = -0.0;
+ }
+- if (!ptr && *last && mode > 0) errormsg(SH_DICT, ERROR_exit(1), e_lexbadchar, *last, str);
+- } else if (!d && *str == '-') {
+- d = -0.0;
+ }
+ if (ptr) *ptr = last;
+ return d;
+diff --git a/src/cmd/ksh93/tests/subshell.sh b/src/cmd/ksh93/tests/subshell.sh
+index b63a8051..3faba475 100644
+--- a/src/cmd/ksh93/tests/subshell.sh
++++ b/src/cmd/ksh93/tests/subshell.sh
+@@ -856,3 +856,26 @@ for exp in 65535 65536
+ do got=$($SHELL -c 'x=$(printf "%.*c" '$exp' x); print ${#x}' 2>&1)
+ [[ $got == $exp ]] || log_error "large command substitution failed" "$exp" "$got"
+ done
++
++# ==========
++# Verify that importing untrusted env vars does not allow evaluating arbitrary expressions but does
++# recognize all integer literals recognized by ksh.
++expect=8
++actual=$(env SHLVL='7' $SHELL -c 'echo $SHLVL')
++[[ $actual == $expect ]] || log_error "decimal int literal not recognized" "$expect" "$actual"
++
++expect=14
++actual=$(env SHLVL='013' $SHELL -c 'echo $SHLVL')
++[[ $actual == $expect ]] || log_error "leading zeros int literal not recognized" "$expect" "$actual"
++
++expect=4
++actual=$(env SHLVL='2#11' $SHELL -c 'echo $SHLVL')
++[[ $actual == $expect ]] || log_error "base#value int literal not recognized" "$expect" "$actual"
++
++expect=12
++actual=$(env SHLVL='16#B' $SHELL -c 'echo $SHLVL')
++[[ $actual == $expect ]] || log_error "base#value int literal not recognized" "$expect" "$actual"
++
++expect=1
++actual=$(env SHLVL="2#11+x[\$($bin_echo DANGER WILL ROBINSON >&2)0]" $SHELL -c 'echo $SHLVL')
++[[ $actual == $expect ]] || log_error "expression allowed on env var import" "$expect" "$actual"
+--
+2.25.0
+
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2020-02-07 19:24:45 UTC (rev 563756)
+++ PKGBUILD 2020-02-07 19:54:06 UTC (rev 563757)
@@ -2,7 +2,7 @@
pkgname=ksh
pkgver=2020.0.0
-pkgrel=1
+pkgrel=2
pkgdesc="The Original AT&T Korn Shell"
arch=('x86_64')
url="http://kornshell.org/"
@@ -12,13 +12,16 @@
provides=('ksh93')
install=ksh.install
source=("https://github.com/att/ast/releases/download/${pkgver}/ksh-${pkgver}.tar.xz"{,.asc}
- "https://github.com/att/ast/commit/d89753b5d38482f4a3f17ba3b7d09ab07cfe7419.patch")
+ "https://github.com/att/ast/commit/d89753b5d38482f4a3f17ba3b7d09ab07cfe7419.patch"
+ "CVE-2019-14868.patch")
sha256sums=('3d6287f9ad13132bf8e57a8eac512b36a63ccce2b1e4531d7a946c5bf2375c63'
'SKIP'
- '8d10ac086727ef9d1b967e2e973be29792e9a4a8c5f915087aa3a2c44d87403f')
+ '8d10ac086727ef9d1b967e2e973be29792e9a4a8c5f915087aa3a2c44d87403f'
+ '3e28d2cbe4b6d8d4dc40056aaea78099b2dc95017796395e26f05baae1bbffa2')
b2sums=('29f957c7917d469fe1b322e7ac2c22435c41c226a0d9629d91d81089ab90cb381b578b163be0f424a574663c838f0cfa59357f18dd61381daa4a8d4e383b60eb'
'SKIP'
- 'bcf521012bb197d234b119dc56ddc068f8ec3e46b6f4c6d82e1043629368bfcabd1a5d360bae702777e5b01914ac70c9edbdce5ee0bba7e9f69916a3c38b1820')
+ 'bcf521012bb197d234b119dc56ddc068f8ec3e46b6f4c6d82e1043629368bfcabd1a5d360bae702777e5b01914ac70c9edbdce5ee0bba7e9f69916a3c38b1820'
+ 'de3e7fd86fb5bddfd85074d1337794a5777c2537baf5d00568beb82ac70ca2d5d6d47902d8ebe5cb32194d426172fbbfba6b4e511013209f0f3aaeec9e07a866')
validpgpkeys=('4BF045ACC726FE4E9DFC1D7762213CE2D3CB82EA') # Siteshwar Vashisht <svashisht at redhat.com>
export NINJA=/usr/bin/samu
@@ -28,6 +31,8 @@
# ignore test error on non-debug builds: https://github.com/att/ast/issues/1390
patch -p1 -i ../d89753b5d38482f4a3f17ba3b7d09ab07cfe7419.patch
+ # CVE-2019-14868
+ patch -p1 -i ../CVE-2019-14868.patch
}
More information about the arch-commits
mailing list