[arch-commits] Commit in ksh/repos/community-x86_64 (6 files)
Caleb Maclennan
alerque at gemini.archlinux.org
Tue Nov 23 00:19:28 UTC 2021
Date: Tuesday, November 23, 2021 @ 00:19:28
Author: alerque
Revision: 1054409
archrelease: copy trunk to community-x86_64
Added:
ksh/repos/community-x86_64/CVE-2019-14868.patch
(from rev 1054408, ksh/trunk/CVE-2019-14868.patch)
ksh/repos/community-x86_64/PKGBUILD
(from rev 1054408, ksh/trunk/PKGBUILD)
ksh/repos/community-x86_64/ksh.install
(from rev 1054408, ksh/trunk/ksh.install)
Deleted:
ksh/repos/community-x86_64/CVE-2019-14868.patch
ksh/repos/community-x86_64/PKGBUILD
ksh/repos/community-x86_64/ksh.install
----------------------+
CVE-2019-14868.patch | 188 ++++++++++++++++++++++++-------------------------
PKGBUILD | 127 +++++++++++++++++----------------
ksh.install | 24 +++---
3 files changed, 172 insertions(+), 167 deletions(-)
Deleted: CVE-2019-14868.patch
===================================================================
--- CVE-2019-14868.patch 2021-11-23 00:09:09 UTC (rev 1054408)
+++ CVE-2019-14868.patch 2021-11-23 00:19:28 UTC (rev 1054409)
@@ -1,94 +0,0 @@
-From c5ed0136a7b6727332ed1ac598c176a5e0087683 Mon Sep 17 00:00:00 2001
-From: Kurtis Rader <krader at skepticism.us>
-Date: Thu, 12 Dec 2019 18:46:50 -0800
-Subject: [PATCH] Harden env var imports
-
-(cherry picked from commit c7de8b641266bac7c77942239ac659edfee9ecd2)
----
- src/cmd/ksh93/sh/arith.c | 37 ++++++++++++++++++++++-----------
- src/cmd/ksh93/tests/subshell.sh | 23 ++++++++++++++++++++
- 2 files changed, 48 insertions(+), 12 deletions(-)
-
-diff --git a/src/cmd/ksh93/sh/arith.c b/src/cmd/ksh93/sh/arith.c
-index 5ca3fce4..53eb45ea 100644
---- a/src/cmd/ksh93/sh/arith.c
-+++ b/src/cmd/ksh93/sh/arith.c
-@@ -567,19 +567,32 @@ Sfdouble_t sh_strnum(Shell_t *shp, const char *str, char **ptr, int mode) {
- char *last;
-
- if (*str == 0) {
-- if (ptr) *ptr = (char *)str;
-- return 0;
-- }
-- errno = 0;
-- d = number(str, &last, shp->inarith ? 0 : 10, NULL);
-- if (*last) {
-- if (*last != '.' || last[1] != '.') {
-- d = strval(shp, str, &last, arith, mode);
-- Varsubscript = true;
-+ d = 0.0;
-+ last = (char *)str;
-+ } else {
-+ d = number(str, &last, shp->inarith ? 0 : 10, NULL);
-+ if (*last && !shp->inarith && sh_isstate(shp, SH_INIT)) {
-+ // This call is to handle "base#value" literals if we're importing untrusted env vars.
-+ d = number(str, &last, 0, NULL);
-+ }
-+ if (*last) {
-+ if (sh_isstate(shp, SH_INIT)) {
-+ // Initializing means importing untrusted env vars. Since the string does not appear
-+ // to be a recognized numeric literal give up. We can't safely call strval() since
-+ // that allows arbitrary expressions which would create a security vulnerability.
-+ d = 0.0;
-+ } else {
-+ if (*last != '.' || last[1] != '.') {
-+ d = strval(shp, str, &last, arith, mode);
-+ Varsubscript = true;
-+ }
-+ if (!ptr && *last && mode > 0) {
-+ errormsg(SH_DICT, ERROR_exit(1), e_lexbadchar, *last, str);
-+ }
-+ }
-+ } else if (d == 0.0 && *str == '-') {
-+ d = -0.0;
- }
-- if (!ptr && *last && mode > 0) errormsg(SH_DICT, ERROR_exit(1), e_lexbadchar, *last, str);
-- } else if (!d && *str == '-') {
-- d = -0.0;
- }
- if (ptr) *ptr = last;
- return d;
-diff --git a/src/cmd/ksh93/tests/subshell.sh b/src/cmd/ksh93/tests/subshell.sh
-index b63a8051..3faba475 100644
---- a/src/cmd/ksh93/tests/subshell.sh
-+++ b/src/cmd/ksh93/tests/subshell.sh
-@@ -856,3 +856,26 @@ for exp in 65535 65536
- do got=$($SHELL -c 'x=$(printf "%.*c" '$exp' x); print ${#x}' 2>&1)
- [[ $got == $exp ]] || log_error "large command substitution failed" "$exp" "$got"
- done
-+
-+# ==========
-+# Verify that importing untrusted env vars does not allow evaluating arbitrary expressions but does
-+# recognize all integer literals recognized by ksh.
-+expect=8
-+actual=$(env SHLVL='7' $SHELL -c 'echo $SHLVL')
-+[[ $actual == $expect ]] || log_error "decimal int literal not recognized" "$expect" "$actual"
-+
-+expect=14
-+actual=$(env SHLVL='013' $SHELL -c 'echo $SHLVL')
-+[[ $actual == $expect ]] || log_error "leading zeros int literal not recognized" "$expect" "$actual"
-+
-+expect=4
-+actual=$(env SHLVL='2#11' $SHELL -c 'echo $SHLVL')
-+[[ $actual == $expect ]] || log_error "base#value int literal not recognized" "$expect" "$actual"
-+
-+expect=12
-+actual=$(env SHLVL='16#B' $SHELL -c 'echo $SHLVL')
-+[[ $actual == $expect ]] || log_error "base#value int literal not recognized" "$expect" "$actual"
-+
-+expect=1
-+actual=$(env SHLVL="2#11+x[\$($bin_echo DANGER WILL ROBINSON >&2)0]" $SHELL -c 'echo $SHLVL')
-+[[ $actual == $expect ]] || log_error "expression allowed on env var import" "$expect" "$actual"
---
-2.25.0
-
Copied: ksh/repos/community-x86_64/CVE-2019-14868.patch (from rev 1054408, ksh/trunk/CVE-2019-14868.patch)
===================================================================
--- CVE-2019-14868.patch (rev 0)
+++ CVE-2019-14868.patch 2021-11-23 00:19:28 UTC (rev 1054409)
@@ -0,0 +1,94 @@
+From c5ed0136a7b6727332ed1ac598c176a5e0087683 Mon Sep 17 00:00:00 2001
+From: Kurtis Rader <krader at skepticism.us>
+Date: Thu, 12 Dec 2019 18:46:50 -0800
+Subject: [PATCH] Harden env var imports
+
+(cherry picked from commit c7de8b641266bac7c77942239ac659edfee9ecd2)
+---
+ src/cmd/ksh93/sh/arith.c | 37 ++++++++++++++++++++++-----------
+ src/cmd/ksh93/tests/subshell.sh | 23 ++++++++++++++++++++
+ 2 files changed, 48 insertions(+), 12 deletions(-)
+
+diff --git a/src/cmd/ksh93/sh/arith.c b/src/cmd/ksh93/sh/arith.c
+index 5ca3fce4..53eb45ea 100644
+--- a/src/cmd/ksh93/sh/arith.c
++++ b/src/cmd/ksh93/sh/arith.c
+@@ -567,19 +567,32 @@ Sfdouble_t sh_strnum(Shell_t *shp, const char *str, char **ptr, int mode) {
+ char *last;
+
+ if (*str == 0) {
+- if (ptr) *ptr = (char *)str;
+- return 0;
+- }
+- errno = 0;
+- d = number(str, &last, shp->inarith ? 0 : 10, NULL);
+- if (*last) {
+- if (*last != '.' || last[1] != '.') {
+- d = strval(shp, str, &last, arith, mode);
+- Varsubscript = true;
++ d = 0.0;
++ last = (char *)str;
++ } else {
++ d = number(str, &last, shp->inarith ? 0 : 10, NULL);
++ if (*last && !shp->inarith && sh_isstate(shp, SH_INIT)) {
++ // This call is to handle "base#value" literals if we're importing untrusted env vars.
++ d = number(str, &last, 0, NULL);
++ }
++ if (*last) {
++ if (sh_isstate(shp, SH_INIT)) {
++ // Initializing means importing untrusted env vars. Since the string does not appear
++ // to be a recognized numeric literal give up. We can't safely call strval() since
++ // that allows arbitrary expressions which would create a security vulnerability.
++ d = 0.0;
++ } else {
++ if (*last != '.' || last[1] != '.') {
++ d = strval(shp, str, &last, arith, mode);
++ Varsubscript = true;
++ }
++ if (!ptr && *last && mode > 0) {
++ errormsg(SH_DICT, ERROR_exit(1), e_lexbadchar, *last, str);
++ }
++ }
++ } else if (d == 0.0 && *str == '-') {
++ d = -0.0;
+ }
+- if (!ptr && *last && mode > 0) errormsg(SH_DICT, ERROR_exit(1), e_lexbadchar, *last, str);
+- } else if (!d && *str == '-') {
+- d = -0.0;
+ }
+ if (ptr) *ptr = last;
+ return d;
+diff --git a/src/cmd/ksh93/tests/subshell.sh b/src/cmd/ksh93/tests/subshell.sh
+index b63a8051..3faba475 100644
+--- a/src/cmd/ksh93/tests/subshell.sh
++++ b/src/cmd/ksh93/tests/subshell.sh
+@@ -856,3 +856,26 @@ for exp in 65535 65536
+ do got=$($SHELL -c 'x=$(printf "%.*c" '$exp' x); print ${#x}' 2>&1)
+ [[ $got == $exp ]] || log_error "large command substitution failed" "$exp" "$got"
+ done
++
++# ==========
++# Verify that importing untrusted env vars does not allow evaluating arbitrary expressions but does
++# recognize all integer literals recognized by ksh.
++expect=8
++actual=$(env SHLVL='7' $SHELL -c 'echo $SHLVL')
++[[ $actual == $expect ]] || log_error "decimal int literal not recognized" "$expect" "$actual"
++
++expect=14
++actual=$(env SHLVL='013' $SHELL -c 'echo $SHLVL')
++[[ $actual == $expect ]] || log_error "leading zeros int literal not recognized" "$expect" "$actual"
++
++expect=4
++actual=$(env SHLVL='2#11' $SHELL -c 'echo $SHLVL')
++[[ $actual == $expect ]] || log_error "base#value int literal not recognized" "$expect" "$actual"
++
++expect=12
++actual=$(env SHLVL='16#B' $SHELL -c 'echo $SHLVL')
++[[ $actual == $expect ]] || log_error "base#value int literal not recognized" "$expect" "$actual"
++
++expect=1
++actual=$(env SHLVL="2#11+x[\$($bin_echo DANGER WILL ROBINSON >&2)0]" $SHELL -c 'echo $SHLVL')
++[[ $actual == $expect ]] || log_error "expression allowed on env var import" "$expect" "$actual"
+--
+2.25.0
+
Deleted: PKGBUILD
===================================================================
--- PKGBUILD 2021-11-23 00:09:09 UTC (rev 1054408)
+++ PKGBUILD 2021-11-23 00:19:28 UTC (rev 1054409)
@@ -1,61 +0,0 @@
-# Maintainer: Eli Schwartz <eschwartz at archlinux.org>
-
-pkgname=ksh
-pkgver=2020.0.0
-pkgrel=2
-pkgdesc="The Original AT&T Korn Shell"
-arch=('x86_64')
-url="http://kornshell.org/"
-license=('EPL')
-makedepends=('meson' 'samurai')
-checkdepends=('ed' 'expect' 'openbsd-netcat' 'procps-ng' 'which' 'vi')
-provides=('ksh93')
-install=ksh.install
-source=("https://github.com/att/ast/releases/download/${pkgver}/ksh-${pkgver}.tar.xz"{,.asc}
- "https://github.com/att/ast/commit/d89753b5d38482f4a3f17ba3b7d09ab07cfe7419.patch"
- "CVE-2019-14868.patch")
-sha256sums=('3d6287f9ad13132bf8e57a8eac512b36a63ccce2b1e4531d7a946c5bf2375c63'
- 'SKIP'
- '7d929d9073a90dc672b2f1eab0f9e80f716e236958bda34b7b992b382552f57f'
- '3e28d2cbe4b6d8d4dc40056aaea78099b2dc95017796395e26f05baae1bbffa2')
-b2sums=('29f957c7917d469fe1b322e7ac2c22435c41c226a0d9629d91d81089ab90cb381b578b163be0f424a574663c838f0cfa59357f18dd61381daa4a8d4e383b60eb'
- 'SKIP'
- '35c6886ffe362b83d5af42f57b3b6aa6a356e192d374537a61bc25507ca71f5d5419725e750e30980098209f48e87dbe0205ace07437e47b6ae3bbf9eb8424c4'
- 'de3e7fd86fb5bddfd85074d1337794a5777c2537baf5d00568beb82ac70ca2d5d6d47902d8ebe5cb32194d426172fbbfba6b4e511013209f0f3aaeec9e07a866')
-validpgpkeys=('4BF045ACC726FE4E9DFC1D7762213CE2D3CB82EA') # Siteshwar Vashisht <svashisht at redhat.com>
-
-export NINJA=/usr/bin/samu
-
-prepare() {
- cd "${srcdir}"/ksh-${pkgver}
-
- # ignore test error on non-debug builds: https://github.com/att/ast/issues/1390
- patch -p1 -i ../d89753b5d38482f4a3f17ba3b7d09ab07cfe7419.patch
- # CVE-2019-14868
- patch -p1 -i ../CVE-2019-14868.patch
-}
-
-
-build() {
- mkdir -p "${srcdir}"/ksh-${pkgver}/build
- cd "${srcdir}"/ksh-${pkgver}/build
-
- meson --prefix /usr \
- --buildtype=plain \
- ..
- samu
-}
-
-check() {
- cd "${srcdir}"/ksh-${pkgver}/build
-
- # a couple tests are flaky and may time out
- meson test -t 3 --print-errorlogs
-}
-
-package() {
- cd "${srcdir}"/ksh-${pkgver}/build
-
- DESTDIR="${pkgdir}" samu install
- ln -s ksh "${pkgdir}"/usr/bin/ksh93
-}
Copied: ksh/repos/community-x86_64/PKGBUILD (from rev 1054408, ksh/trunk/PKGBUILD)
===================================================================
--- PKGBUILD (rev 0)
+++ PKGBUILD 2021-11-23 00:19:28 UTC (rev 1054409)
@@ -0,0 +1,66 @@
+# Maintainer: Caleb Maclennan <caleb at alerque.com>
+# Contributor: Eli Schwartz <eschwartz at archlinux.org>
+
+pkgname=ksh
+pkgver=2020.0.0
+pkgrel=3
+pkgdesc="The Original AT&T Korn Shell"
+arch=('x86_64')
+url="http://kornshell.org/"
+license=('EPL')
+makedepends=('meson' 'samurai')
+checkdepends=('ed' 'expect' 'openbsd-netcat' 'procps-ng' 'which' 'vi')
+provides=('ksh93')
+install=ksh.install
+source=("https://github.com/att/ast/releases/download/${pkgver}/ksh-${pkgver}.tar.xz"{,.asc}
+ "https://github.com/att/ast/commit/d89753b5d38482f4a3f17ba3b7d09ab07cfe7419.patch"
+ "CVE-2019-14868.patch")
+sha256sums=('3d6287f9ad13132bf8e57a8eac512b36a63ccce2b1e4531d7a946c5bf2375c63'
+ 'SKIP'
+ '7d929d9073a90dc672b2f1eab0f9e80f716e236958bda34b7b992b382552f57f'
+ '3e28d2cbe4b6d8d4dc40056aaea78099b2dc95017796395e26f05baae1bbffa2')
+b2sums=('29f957c7917d469fe1b322e7ac2c22435c41c226a0d9629d91d81089ab90cb381b578b163be0f424a574663c838f0cfa59357f18dd61381daa4a8d4e383b60eb'
+ 'SKIP'
+ '35c6886ffe362b83d5af42f57b3b6aa6a356e192d374537a61bc25507ca71f5d5419725e750e30980098209f48e87dbe0205ace07437e47b6ae3bbf9eb8424c4'
+ 'de3e7fd86fb5bddfd85074d1337794a5777c2537baf5d00568beb82ac70ca2d5d6d47902d8ebe5cb32194d426172fbbfba6b4e511013209f0f3aaeec9e07a866')
+validpgpkeys=('4BF045ACC726FE4E9DFC1D7762213CE2D3CB82EA') # Siteshwar Vashisht <svashisht at redhat.com>
+
+export NINJA=/usr/bin/samu
+
+prepare() {
+ cd "${srcdir}"/ksh-${pkgver}
+
+ # ignore test error on non-debug builds: https://github.com/att/ast/issues/1390
+ patch -p1 -i ../d89753b5d38482f4a3f17ba3b7d09ab07cfe7419.patch
+ # CVE-2019-14868
+ patch -p1 -i ../CVE-2019-14868.patch
+
+ # b_chmod tests known to fail, esp in chroots
+ # https://github.com/att/ast/issues/1478
+ sed -i -e '/b_chmod/d' src/cmd/ksh93/tests/meson.build
+}
+
+
+build() {
+ mkdir -p "${srcdir}"/ksh-${pkgver}/build
+ cd "${srcdir}"/ksh-${pkgver}/build
+
+ meson --prefix /usr \
+ --buildtype=plain \
+ ..
+ samu
+}
+
+check() {
+ cd "${srcdir}"/ksh-${pkgver}/build
+
+ # a couple tests are flaky and may time out
+ meson test -t 3 --print-errorlogs
+}
+
+package() {
+ cd "${srcdir}"/ksh-${pkgver}/build
+
+ DESTDIR="${pkgdir}" samu install
+ ln -s ksh "${pkgdir}"/usr/bin/ksh93
+}
Deleted: ksh.install
===================================================================
--- ksh.install 2021-11-23 00:09:09 UTC (rev 1054408)
+++ ksh.install 2021-11-23 00:19:28 UTC (rev 1054409)
@@ -1,12 +0,0 @@
-post_install() {
- grep -qx /bin/ksh /etc/shells || echo /bin/ksh >>/etc/shells
- grep -qx /usr/bin/ksh /etc/shells || echo /usr/bin/ksh >>/etc/shells
-}
-
-post_upgrade() {
- post_install
-}
-
-post_remove() {
- sed -i -r '/^(\/usr)?\/bin\/ksh$/d' etc/shells
-}
Copied: ksh/repos/community-x86_64/ksh.install (from rev 1054408, ksh/trunk/ksh.install)
===================================================================
--- ksh.install (rev 0)
+++ ksh.install 2021-11-23 00:19:28 UTC (rev 1054409)
@@ -0,0 +1,12 @@
+post_install() {
+ grep -qx /bin/ksh /etc/shells || echo /bin/ksh >>/etc/shells
+ grep -qx /usr/bin/ksh /etc/shells || echo /usr/bin/ksh >>/etc/shells
+}
+
+post_upgrade() {
+ post_install
+}
+
+post_remove() {
+ sed -i -r '/^(\/usr)?\/bin\/ksh$/d' etc/shells
+}
More information about the arch-commits
mailing list