[ASA-202002-4] ksh: arbitrary command execution
foxboron at archlinux.org
Wed Feb 12 21:44:30 UTC 2020
Arch Linux Security Advisory ASA-202002-4
Date : 2020-02-08
CVE-ID : CVE-2019-14868
Package : ksh
Type : arbitrary command execution
Remote : No
Link : https://security.archlinux.org/AVG-1095
The package ksh before version 2020.0.0-2 is vulnerable to arbitrary
Upgrade to 2020.0.0-2.
# pacman -Syu "ksh>=2020.0.0-2"
The problem has been fixed upstream but no release is available yet.
A flaw was found in ksh version 2020.0.0 in the evaluation of certain
environment variables. An attacker could use this flaw to override or
bypass environment restrictions to execute shell commands. Services and
applications that allow remote unauthenticated attackers to provide one
of those environment variables could allow them to exploit this issue
An attacker is able to execute arbitrary commands that are blacklisted
on the affected host.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the arch-security