Bug#964986: buster-pu: package ksh/93u+20120801-3.4

Anuradha Weeraman Mon, 13 Jul 2020 16:00:38 -0700

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: anura...@debian.org, car...@debian.org


[ Reason ]
Summary of the issue: In ksh version 20120801, a flaw was found in the
way it evaluates certain environment variables. An attacker could use
this flaw to override or bypass environment restrictions to execute
shell commands.

[ Impact ]
Services and applications that allow remote unauthenticated
attackers to provide one of those environment variables could allow them
to exploit this issue remotely, although the risk is deemed low.

[ Tests ]
There is a test included in the diff that was used to validate the
fix. Also, the regression test suite was run to make sure there were
no regressions.

[ Risks ]
The regression test suite has been run before and after the patch to
confirm no new regressions. Also, the fix is applied in unstable with no
new issues reported.

[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable

[ Changes ]
* Patch to arith.c that fixes the CVE
* Test case for the fix

[ Other info ]
This was brought up to the security team first, and it was deemed that a
DSA is not required by Salvatore Bonaccorso.

Anuradha

-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

diff -Nru ksh-93u+20120801/debian/changelog ksh-93u+20120801/debian/changelog
--- ksh-93u+20120801/debian/changelog   2018-12-14 02:26:58.000000000 -0500
+++ ksh-93u+20120801/debian/changelog   2020-07-12 11:26:07.000000000 -0400
@@ -1,3 +1,15 @@
+ksh (93u+20120801-4+deb10u1) buster-security; urgency=high
+
+  * Fix for CVE-2019-14868: in ksh version 20120801, a flaw was found
+    in the way it evaluates certain environment variables. An attacker
+    could use this flaw to override or bypass environment restrictions
+    to execute shell commands. Services and applications that allow
+    remote unauthenticated attackers to provide one of those
+    environment variables could allow them to exploit this issue
+    remotely. (Closes: #948989)
+
+ -- Anuradha Weeraman <anura...@debian.org>  Sun, 12 Jul 2020 11:26:07 -0400
+
 ksh (93u+20120801-3.4) unstable; urgency=medium
 
   [ Boyuan Yang ]
diff -Nru ksh-93u+20120801/debian/patches/cve-2019-14868.patch 
ksh-93u+20120801/debian/patches/cve-2019-14868.patch
--- ksh-93u+20120801/debian/patches/cve-2019-14868.patch        1969-12-31 
19:00:00.000000000 -0500
+++ ksh-93u+20120801/debian/patches/cve-2019-14868.patch        2020-07-12 
11:26:07.000000000 -0400
@@ -0,0 +1,97 @@
+Description: CVE-2019-14868
+ Certain environment variables were interpreted as arithmetic
+ expressions on startup, leading to code injection.
+Bug-Debian: https://bugs.debian.org/948989
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1757324
+Author: Kurtis Rader <kra...@skepticism.us>
+Origin: 
https://github.com/ksh93/ksh/commit/593a5a8b7f272c2488c8a800820ae990942946e7
+Date: 2020-05-21
+
+diff --git a/src/cmd/ksh93/sh/arith.c b/src/cmd/ksh93/sh/arith.c
+index b1059421..6361431b 100644
+--- a/src/cmd/ksh93/sh/arith.c
++++ b/src/cmd/ksh93/sh/arith.c
+@@ -513,21 +513,36 @@ Sfdouble_t sh_strnum(register const char *str, char** 
ptr, int mode)
+       char base=(shp->inarith?0:10), *last;
+       if(*str==0)
+       {
+-              if(ptr)
+-                      *ptr = (char*)str;
+-              return(0);
+-      }
+-      errno = 0;
+-      d = strtonll(str,&last,&base,-1);
+-      if(*last || errno)
+-      {
+-              if(!last || *last!='.' || last[1]!='.')
+-                      d = strval(shp,str,&last,arith,mode);
+-              if(!ptr && *last && mode>0)
+-                      errormsg(SH_DICT,ERROR_exit(1),e_lexbadchar,*last,str);
++              d = 0.0;
++              last = (char*)str;
++      } else {
++              errno = 0;
++              d = strtonll(str,&last,&base,-1);
++              if (*last && !shp->inarith && sh_isstate(SH_INIT)) {
++                      /* This call is to handle "base#value" literals if 
we're importing untrusted env vars. */
++                      errno = 0;
++                      d = strtonll(str, &last, NULL, -1);
++              }
++
++              if(*last || errno)
++              {
++                      if (sh_isstate(SH_INIT)) {
++                              /*
++                               * Initializing means importing untrusted env 
vars. The string does not appear to be
++                               * a recognized numeric literal, so give up. We 
can't safely call strval(), because
++                               * that allows arbitrary expressions, causing 
security vulnerability CVE-2019-14868.
++                               */
++                              d = 0.0;
++                      } else {
++                              if(!last || *last!='.' || last[1]!='.')
++                                      d = strval(shp,str,&last,arith,mode);
++                              if(!ptr && *last && mode>0)
++                                      
errormsg(SH_DICT,ERROR_exit(1),e_lexbadchar,*last,str);
++                      }
++              } else if (!d && *str=='-') {
++                      d = -0.0;
++              }
+       }
+-      else if (!d && *str=='-')
+-              d = -0.0;
+       if(ptr)
+               *ptr = last;
+       return(d);
+diff --git a/src/cmd/ksh93/tests/variables.sh 
b/src/cmd/ksh93/tests/variables.sh
+index 6eec31b6..9ceb2d1b 100755
+--- a/src/cmd/ksh93/tests/variables.sh
++++ b/src/cmd/ksh93/tests/variables.sh
+@@ -674,4 +674,28 @@ level=$($SHELL -c $'$SHELL -c \'print -r "$SHLVL"\'')
+ $SHELL -c 'unset .sh' 2> /dev/null
+ [[ $? == 1 ]] || err_exit 'unset .sh should return 1'
+ 
++# ======
++# Verify that importing untrusted environment variables does not allow 
evaluating
++# arbitrary expressions, but does recognize all integer literals recognized 
by ksh.
++
++expect=8
++actual=$(env SHLVL='7' "$SHELL" -c 'echo $SHLVL')
++[[ $actual == $expect ]] || err_exit "decimal int literal not recognized 
(expected '$expect', got '$actual')"
++
++expect=14
++actual=$(env SHLVL='013' "$SHELL" -c 'echo $SHLVL')
++[[ $actual == $expect ]] || err_exit "leading zeros int literal not 
recognized (expected '$expect', got '$actual')"
++
++expect=4
++actual=$(env SHLVL='2#11' "$SHELL" -c 'echo $SHLVL')
++[[ $actual == $expect ]] || err_exit "base#value int literal not recognized 
(expected '$expect', got '$actual')"
++
++expect=12
++actual=$(env SHLVL='16#B' "$SHELL" -c 'echo $SHLVL')
++[[ $actual == $expect ]] || err_exit "base#value int literal not recognized 
(expected '$expect', got '$actual')"
++
++expect=1
++actual=$(env SHLVL="2#11+x[\$(env echo Exploited vuln CVE-2019-14868 >&2)0]" 
"$SHELL" -c 'echo $SHLVL' 2>&1)
++[[ $actual == $expect ]] || err_exit "expression allowed on env var import 
(expected '$expect', got '$actual')"
++
+ exit $((Errors<125?Errors:125))
diff -Nru ksh-93u+20120801/debian/patches/series 
ksh-93u+20120801/debian/patches/series
--- ksh-93u+20120801/debian/patches/series      2018-12-14 02:26:58.000000000 
-0500
+++ ksh-93u+20120801/debian/patches/series      2020-07-12 11:26:07.000000000 
-0400
@@ -7,3 +7,4 @@
 ed.patch
 0008-Bug-887743-Fix-build-failures-caused-by-update-in-gl.patch
 bug915326.patch
+cve-2019-14868.patch

signature.asc
Description: PGP signature

Bug#964986: buster-pu: package ksh/93u+20120801-3.4

Reply via email to