[arch-commits] Commit in ksh/repos/community-x86_64 (6 files)

Caleb Maclennan alerque at gemini.archlinux.org
Tue Nov 23 00:19:28 UTC 2021


    Date: Tuesday, November 23, 2021 @ 00:19:28
  Author: alerque
Revision: 1054409

archrelease: copy trunk to community-x86_64

Added:
  ksh/repos/community-x86_64/CVE-2019-14868.patch
    (from rev 1054408, ksh/trunk/CVE-2019-14868.patch)
  ksh/repos/community-x86_64/PKGBUILD
    (from rev 1054408, ksh/trunk/PKGBUILD)
  ksh/repos/community-x86_64/ksh.install
    (from rev 1054408, ksh/trunk/ksh.install)
Deleted:
  ksh/repos/community-x86_64/CVE-2019-14868.patch
  ksh/repos/community-x86_64/PKGBUILD
  ksh/repos/community-x86_64/ksh.install

----------------------+
 CVE-2019-14868.patch |  188 ++++++++++++++++++++++++-------------------------
 PKGBUILD             |  127 +++++++++++++++++----------------
 ksh.install          |   24 +++---
 3 files changed, 172 insertions(+), 167 deletions(-)

Deleted: CVE-2019-14868.patch
===================================================================
--- CVE-2019-14868.patch	2021-11-23 00:09:09 UTC (rev 1054408)
+++ CVE-2019-14868.patch	2021-11-23 00:19:28 UTC (rev 1054409)
@@ -1,94 +0,0 @@
-From c5ed0136a7b6727332ed1ac598c176a5e0087683 Mon Sep 17 00:00:00 2001
-From: Kurtis Rader <krader at skepticism.us>
-Date: Thu, 12 Dec 2019 18:46:50 -0800
-Subject: [PATCH] Harden env var imports
-
-(cherry picked from commit c7de8b641266bac7c77942239ac659edfee9ecd2)
----
- src/cmd/ksh93/sh/arith.c        | 37 ++++++++++++++++++++++-----------
- src/cmd/ksh93/tests/subshell.sh | 23 ++++++++++++++++++++
- 2 files changed, 48 insertions(+), 12 deletions(-)
-
-diff --git a/src/cmd/ksh93/sh/arith.c b/src/cmd/ksh93/sh/arith.c
-index 5ca3fce4..53eb45ea 100644
---- a/src/cmd/ksh93/sh/arith.c
-+++ b/src/cmd/ksh93/sh/arith.c
-@@ -567,19 +567,32 @@ Sfdouble_t sh_strnum(Shell_t *shp, const char *str, char **ptr, int mode) {
-     char *last;
- 
-     if (*str == 0) {
--        if (ptr) *ptr = (char *)str;
--        return 0;
--    }
--    errno = 0;
--    d = number(str, &last, shp->inarith ? 0 : 10, NULL);
--    if (*last) {
--        if (*last != '.' || last[1] != '.') {
--            d = strval(shp, str, &last, arith, mode);
--            Varsubscript = true;
-+        d = 0.0;
-+        last = (char *)str;
-+    } else {
-+        d = number(str, &last, shp->inarith ? 0 : 10, NULL);
-+        if (*last && !shp->inarith && sh_isstate(shp, SH_INIT)) {
-+            // This call is to handle "base#value" literals if we're importing untrusted env vars.
-+            d = number(str, &last, 0, NULL);
-+        }
-+        if (*last) {
-+            if (sh_isstate(shp, SH_INIT)) {
-+                // Initializing means importing untrusted env vars. Since the string does not appear
-+                // to be a recognized numeric literal give up. We can't safely call strval() since
-+                // that allows arbitrary expressions which would create a security vulnerability.
-+                d = 0.0;
-+            } else {
-+                if (*last != '.' || last[1] != '.') {
-+                    d = strval(shp, str, &last, arith, mode);
-+                    Varsubscript = true;
-+                }
-+                if (!ptr && *last && mode > 0) {
-+                    errormsg(SH_DICT, ERROR_exit(1), e_lexbadchar, *last, str);
-+                }
-+            }
-+        } else if (d == 0.0 && *str == '-') {
-+            d = -0.0;
-         }
--        if (!ptr && *last && mode > 0) errormsg(SH_DICT, ERROR_exit(1), e_lexbadchar, *last, str);
--    } else if (!d && *str == '-') {
--        d = -0.0;
-     }
-     if (ptr) *ptr = last;
-     return d;
-diff --git a/src/cmd/ksh93/tests/subshell.sh b/src/cmd/ksh93/tests/subshell.sh
-index b63a8051..3faba475 100644
---- a/src/cmd/ksh93/tests/subshell.sh
-+++ b/src/cmd/ksh93/tests/subshell.sh
-@@ -856,3 +856,26 @@ for exp in 65535 65536
- do    got=$($SHELL -c 'x=$(printf "%.*c" '$exp' x); print ${#x}' 2>&1)
-     [[ $got == $exp ]] || log_error "large command substitution failed" "$exp" "$got"
- done
-+
-+# ==========
-+# Verify that importing untrusted env vars does not allow evaluating arbitrary expressions but does
-+# recognize all integer literals recognized by ksh.
-+expect=8
-+actual=$(env SHLVL='7' $SHELL -c 'echo $SHLVL')
-+[[ $actual == $expect ]] || log_error "decimal int literal not recognized" "$expect" "$actual"
-+
-+expect=14
-+actual=$(env SHLVL='013' $SHELL -c 'echo $SHLVL')
-+[[ $actual == $expect ]] || log_error "leading zeros int literal not recognized" "$expect" "$actual"
-+
-+expect=4
-+actual=$(env SHLVL='2#11' $SHELL -c 'echo $SHLVL')
-+[[ $actual == $expect ]] || log_error "base#value int literal not recognized" "$expect" "$actual"
-+
-+expect=12
-+actual=$(env SHLVL='16#B' $SHELL -c 'echo $SHLVL')
-+[[ $actual == $expect ]] || log_error "base#value int literal not recognized" "$expect" "$actual"
-+
-+expect=1
-+actual=$(env SHLVL="2#11+x[\$($bin_echo DANGER WILL ROBINSON >&2)0]" $SHELL -c 'echo $SHLVL')
-+[[ $actual == $expect ]] || log_error "expression allowed on env var import" "$expect" "$actual"
--- 
-2.25.0
-

Copied: ksh/repos/community-x86_64/CVE-2019-14868.patch (from rev 1054408, ksh/trunk/CVE-2019-14868.patch)
===================================================================
--- CVE-2019-14868.patch	                        (rev 0)
+++ CVE-2019-14868.patch	2021-11-23 00:19:28 UTC (rev 1054409)
@@ -0,0 +1,94 @@
+From c5ed0136a7b6727332ed1ac598c176a5e0087683 Mon Sep 17 00:00:00 2001
+From: Kurtis Rader <krader at skepticism.us>
+Date: Thu, 12 Dec 2019 18:46:50 -0800
+Subject: [PATCH] Harden env var imports
+
+(cherry picked from commit c7de8b641266bac7c77942239ac659edfee9ecd2)
+---
+ src/cmd/ksh93/sh/arith.c        | 37 ++++++++++++++++++++++-----------
+ src/cmd/ksh93/tests/subshell.sh | 23 ++++++++++++++++++++
+ 2 files changed, 48 insertions(+), 12 deletions(-)
+
+diff --git a/src/cmd/ksh93/sh/arith.c b/src/cmd/ksh93/sh/arith.c
+index 5ca3fce4..53eb45ea 100644
+--- a/src/cmd/ksh93/sh/arith.c
++++ b/src/cmd/ksh93/sh/arith.c
+@@ -567,19 +567,32 @@ Sfdouble_t sh_strnum(Shell_t *shp, const char *str, char **ptr, int mode) {
+     char *last;
+ 
+     if (*str == 0) {
+-        if (ptr) *ptr = (char *)str;
+-        return 0;
+-    }
+-    errno = 0;
+-    d = number(str, &last, shp->inarith ? 0 : 10, NULL);
+-    if (*last) {
+-        if (*last != '.' || last[1] != '.') {
+-            d = strval(shp, str, &last, arith, mode);
+-            Varsubscript = true;
++        d = 0.0;
++        last = (char *)str;
++    } else {
++        d = number(str, &last, shp->inarith ? 0 : 10, NULL);
++        if (*last && !shp->inarith && sh_isstate(shp, SH_INIT)) {
++            // This call is to handle "base#value" literals if we're importing untrusted env vars.
++            d = number(str, &last, 0, NULL);
++        }
++        if (*last) {
++            if (sh_isstate(shp, SH_INIT)) {
++                // Initializing means importing untrusted env vars. Since the string does not appear
++                // to be a recognized numeric literal give up. We can't safely call strval() since
++                // that allows arbitrary expressions which would create a security vulnerability.
++                d = 0.0;
++            } else {
++                if (*last != '.' || last[1] != '.') {
++                    d = strval(shp, str, &last, arith, mode);
++                    Varsubscript = true;
++                }
++                if (!ptr && *last && mode > 0) {
++                    errormsg(SH_DICT, ERROR_exit(1), e_lexbadchar, *last, str);
++                }
++            }
++        } else if (d == 0.0 && *str == '-') {
++            d = -0.0;
+         }
+-        if (!ptr && *last && mode > 0) errormsg(SH_DICT, ERROR_exit(1), e_lexbadchar, *last, str);
+-    } else if (!d && *str == '-') {
+-        d = -0.0;
+     }
+     if (ptr) *ptr = last;
+     return d;
+diff --git a/src/cmd/ksh93/tests/subshell.sh b/src/cmd/ksh93/tests/subshell.sh
+index b63a8051..3faba475 100644
+--- a/src/cmd/ksh93/tests/subshell.sh
++++ b/src/cmd/ksh93/tests/subshell.sh
+@@ -856,3 +856,26 @@ for exp in 65535 65536
+ do    got=$($SHELL -c 'x=$(printf "%.*c" '$exp' x); print ${#x}' 2>&1)
+     [[ $got == $exp ]] || log_error "large command substitution failed" "$exp" "$got"
+ done
++
++# ==========
++# Verify that importing untrusted env vars does not allow evaluating arbitrary expressions but does
++# recognize all integer literals recognized by ksh.
++expect=8
++actual=$(env SHLVL='7' $SHELL -c 'echo $SHLVL')
++[[ $actual == $expect ]] || log_error "decimal int literal not recognized" "$expect" "$actual"
++
++expect=14
++actual=$(env SHLVL='013' $SHELL -c 'echo $SHLVL')
++[[ $actual == $expect ]] || log_error "leading zeros int literal not recognized" "$expect" "$actual"
++
++expect=4
++actual=$(env SHLVL='2#11' $SHELL -c 'echo $SHLVL')
++[[ $actual == $expect ]] || log_error "base#value int literal not recognized" "$expect" "$actual"
++
++expect=12
++actual=$(env SHLVL='16#B' $SHELL -c 'echo $SHLVL')
++[[ $actual == $expect ]] || log_error "base#value int literal not recognized" "$expect" "$actual"
++
++expect=1
++actual=$(env SHLVL="2#11+x[\$($bin_echo DANGER WILL ROBINSON >&2)0]" $SHELL -c 'echo $SHLVL')
++[[ $actual == $expect ]] || log_error "expression allowed on env var import" "$expect" "$actual"
+-- 
+2.25.0
+

Deleted: PKGBUILD
===================================================================
--- PKGBUILD	2021-11-23 00:09:09 UTC (rev 1054408)
+++ PKGBUILD	2021-11-23 00:19:28 UTC (rev 1054409)
@@ -1,61 +0,0 @@
-# Maintainer: Eli Schwartz <eschwartz at archlinux.org>
-
-pkgname=ksh
-pkgver=2020.0.0
-pkgrel=2
-pkgdesc="The Original AT&T Korn Shell"
-arch=('x86_64')
-url="http://kornshell.org/"
-license=('EPL')
-makedepends=('meson' 'samurai')
-checkdepends=('ed' 'expect' 'openbsd-netcat' 'procps-ng' 'which' 'vi')
-provides=('ksh93')
-install=ksh.install
-source=("https://github.com/att/ast/releases/download/${pkgver}/ksh-${pkgver}.tar.xz"{,.asc}
-        "https://github.com/att/ast/commit/d89753b5d38482f4a3f17ba3b7d09ab07cfe7419.patch"
-        "CVE-2019-14868.patch")
-sha256sums=('3d6287f9ad13132bf8e57a8eac512b36a63ccce2b1e4531d7a946c5bf2375c63'
-            'SKIP'
-            '7d929d9073a90dc672b2f1eab0f9e80f716e236958bda34b7b992b382552f57f'
-            '3e28d2cbe4b6d8d4dc40056aaea78099b2dc95017796395e26f05baae1bbffa2')
-b2sums=('29f957c7917d469fe1b322e7ac2c22435c41c226a0d9629d91d81089ab90cb381b578b163be0f424a574663c838f0cfa59357f18dd61381daa4a8d4e383b60eb'
-        'SKIP'
-        '35c6886ffe362b83d5af42f57b3b6aa6a356e192d374537a61bc25507ca71f5d5419725e750e30980098209f48e87dbe0205ace07437e47b6ae3bbf9eb8424c4'
-        'de3e7fd86fb5bddfd85074d1337794a5777c2537baf5d00568beb82ac70ca2d5d6d47902d8ebe5cb32194d426172fbbfba6b4e511013209f0f3aaeec9e07a866')
-validpgpkeys=('4BF045ACC726FE4E9DFC1D7762213CE2D3CB82EA') # Siteshwar Vashisht <svashisht at redhat.com>
-
-export NINJA=/usr/bin/samu
-
-prepare() {
-    cd "${srcdir}"/ksh-${pkgver}
-
-    # ignore test error on non-debug builds: https://github.com/att/ast/issues/1390
-    patch -p1 -i ../d89753b5d38482f4a3f17ba3b7d09ab07cfe7419.patch
-    # CVE-2019-14868
-    patch -p1 -i ../CVE-2019-14868.patch
-}
-
-
-build() {
-    mkdir -p "${srcdir}"/ksh-${pkgver}/build
-    cd "${srcdir}"/ksh-${pkgver}/build
-
-    meson --prefix /usr \
-          --buildtype=plain \
-          ..
-    samu
-}
-
-check() {
-    cd "${srcdir}"/ksh-${pkgver}/build
-
-    # a couple tests are flaky and may time out
-    meson test -t 3 --print-errorlogs
-}
-
-package() {
-    cd "${srcdir}"/ksh-${pkgver}/build
-
-    DESTDIR="${pkgdir}" samu install
-    ln -s ksh "${pkgdir}"/usr/bin/ksh93
-}

Copied: ksh/repos/community-x86_64/PKGBUILD (from rev 1054408, ksh/trunk/PKGBUILD)
===================================================================
--- PKGBUILD	                        (rev 0)
+++ PKGBUILD	2021-11-23 00:19:28 UTC (rev 1054409)
@@ -0,0 +1,66 @@
+# Maintainer: Caleb Maclennan <caleb at alerque.com>
+# Contributor: Eli Schwartz <eschwartz at archlinux.org>
+
+pkgname=ksh
+pkgver=2020.0.0
+pkgrel=3
+pkgdesc="The Original AT&T Korn Shell"
+arch=('x86_64')
+url="http://kornshell.org/"
+license=('EPL')
+makedepends=('meson' 'samurai')
+checkdepends=('ed' 'expect' 'openbsd-netcat' 'procps-ng' 'which' 'vi')
+provides=('ksh93')
+install=ksh.install
+source=("https://github.com/att/ast/releases/download/${pkgver}/ksh-${pkgver}.tar.xz"{,.asc}
+        "https://github.com/att/ast/commit/d89753b5d38482f4a3f17ba3b7d09ab07cfe7419.patch"
+        "CVE-2019-14868.patch")
+sha256sums=('3d6287f9ad13132bf8e57a8eac512b36a63ccce2b1e4531d7a946c5bf2375c63'
+            'SKIP'
+            '7d929d9073a90dc672b2f1eab0f9e80f716e236958bda34b7b992b382552f57f'
+            '3e28d2cbe4b6d8d4dc40056aaea78099b2dc95017796395e26f05baae1bbffa2')
+b2sums=('29f957c7917d469fe1b322e7ac2c22435c41c226a0d9629d91d81089ab90cb381b578b163be0f424a574663c838f0cfa59357f18dd61381daa4a8d4e383b60eb'
+        'SKIP'
+        '35c6886ffe362b83d5af42f57b3b6aa6a356e192d374537a61bc25507ca71f5d5419725e750e30980098209f48e87dbe0205ace07437e47b6ae3bbf9eb8424c4'
+        'de3e7fd86fb5bddfd85074d1337794a5777c2537baf5d00568beb82ac70ca2d5d6d47902d8ebe5cb32194d426172fbbfba6b4e511013209f0f3aaeec9e07a866')
+validpgpkeys=('4BF045ACC726FE4E9DFC1D7762213CE2D3CB82EA') # Siteshwar Vashisht <svashisht at redhat.com>
+
+export NINJA=/usr/bin/samu
+
+prepare() {
+    cd "${srcdir}"/ksh-${pkgver}
+
+    # ignore test error on non-debug builds: https://github.com/att/ast/issues/1390
+    patch -p1 -i ../d89753b5d38482f4a3f17ba3b7d09ab07cfe7419.patch
+    # CVE-2019-14868
+    patch -p1 -i ../CVE-2019-14868.patch
+
+    # b_chmod tests known to fail, esp in chroots
+    # https://github.com/att/ast/issues/1478
+    sed -i -e '/b_chmod/d' src/cmd/ksh93/tests/meson.build
+}
+
+
+build() {
+    mkdir -p "${srcdir}"/ksh-${pkgver}/build
+    cd "${srcdir}"/ksh-${pkgver}/build
+
+    meson --prefix /usr \
+          --buildtype=plain \
+          ..
+    samu
+}
+
+check() {
+    cd "${srcdir}"/ksh-${pkgver}/build
+
+    # a couple tests are flaky and may time out
+    meson test -t 3 --print-errorlogs
+}
+
+package() {
+    cd "${srcdir}"/ksh-${pkgver}/build
+
+    DESTDIR="${pkgdir}" samu install
+    ln -s ksh "${pkgdir}"/usr/bin/ksh93
+}

Deleted: ksh.install
===================================================================
--- ksh.install	2021-11-23 00:09:09 UTC (rev 1054408)
+++ ksh.install	2021-11-23 00:19:28 UTC (rev 1054409)
@@ -1,12 +0,0 @@
-post_install() {
-    grep -qx /bin/ksh /etc/shells || echo /bin/ksh >>/etc/shells
-    grep -qx /usr/bin/ksh /etc/shells || echo /usr/bin/ksh >>/etc/shells
-}
-
-post_upgrade() {
-    post_install
-}
-
-post_remove() {
-    sed -i -r '/^(\/usr)?\/bin\/ksh$/d' etc/shells
-}

Copied: ksh/repos/community-x86_64/ksh.install (from rev 1054408, ksh/trunk/ksh.install)
===================================================================
--- ksh.install	                        (rev 0)
+++ ksh.install	2021-11-23 00:19:28 UTC (rev 1054409)
@@ -0,0 +1,12 @@
+post_install() {
+    grep -qx /bin/ksh /etc/shells || echo /bin/ksh >>/etc/shells
+    grep -qx /usr/bin/ksh /etc/shells || echo /usr/bin/ksh >>/etc/shells
+}
+
+post_upgrade() {
+    post_install
+}
+
+post_remove() {
+    sed -i -r '/^(\/usr)?\/bin\/ksh$/d' etc/shells
+}



More information about the arch-commits mailing list