Bug#948989: marked as done (ksh: CVE-2019-14868)

[Debian Bug Tracking System]

Your message dated Sun, 26 Jul 2020 11:17:10 +0000
with message-id <e1jzeeu-0000ou...@fasolo.debian.org>
and subject line Bug#948989: fixed in ksh 93u+20120801-3.4+deb10u1
has caused the Debian Bug report #948989,
regarding ksh: CVE-2019-14868
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
948989: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948989
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: ksh
Version: 2020.0.0-2
Severity: grave
Tags: security upstream
Justification: user security hole

Hi,

The following vulnerability was published for ksh.

CVE-2019-14868[0]:
|environment variables on startup are interpreted as arithmetic
|expression leading to code injection

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-14868
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14868
[1] https://github.com/att/ast/commit/c7de8b641266bac7c77942239ac659edfee9ecd2

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: ksh
Source-Version: 93u+20120801-3.4+deb10u1
Done: Anuradha Weeraman <anura...@debian.org>

We believe that the bug you reported is fixed in the latest version of
ksh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 948...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Anuradha Weeraman <anura...@debian.org> (supplier of updated ksh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 12 Jul 2020 11:26:07 -0400
Source: ksh
Architecture: source
Version: 93u+20120801-3.4+deb10u1
Distribution: buster
Urgency: high
Maintainer: Nicholas Bamber <nicho...@periapt.co.uk>
Changed-By: Anuradha Weeraman <anura...@debian.org>
Closes: 948989
Changes:
 ksh (93u+20120801-3.4+deb10u1) buster; urgency=high
 .
   * Fix for CVE-2019-14868: in ksh version 20120801, a flaw was found
     in the way it evaluates certain environment variables. An attacker
     could use this flaw to override or bypass environment restrictions
     to execute shell commands. Services and applications that allow
     remote unauthenticated attackers to provide one of those
     environment variables could allow them to exploit this issue
     remotely. (Closes: #948989)
Checksums-Sha1:
 41bfe116eae6ef9c6a34ad7100017d00580eb63a 1876 ksh_93u+20120801-3.4+deb10u1.dsc
 c3647a3a8232b66e8f731fc34213441b2e7567e0 17576 
ksh_93u+20120801-3.4+deb10u1.debian.tar.xz
 ef87d7639771eced1d5890013942d6c6970e4f5f 5742 
ksh_93u+20120801-3.4+deb10u1_amd64.buildinfo
Checksums-Sha256:
 1b6ab2859bdb0adb96f2b2f7d3116008f5382f0a27871549b658103db281e941 1876 
ksh_93u+20120801-3.4+deb10u1.dsc
 f3379767c58f9c6c1915919f05520bf56cd2429884a7b8c76576206301f2c2b0 17576 
ksh_93u+20120801-3.4+deb10u1.debian.tar.xz
 b0deb85adc29eb2b6d7c67bf2746b2c184059c84b9da604b791ebddebeaa0570 5742 
ksh_93u+20120801-3.4+deb10u1_amd64.buildinfo
Files:
 f9f2ac68acee3d114126f43e7fb8209d 1876 shells optional 
ksh_93u+20120801-3.4+deb10u1.dsc
 28ee52a4dcc5c7d31dc2a060d3cc2d58 17576 shells optional 
ksh_93u+20120801-3.4+deb10u1.debian.tar.xz
 17fbb74f473b84558f336fae443def8a 5742 shells optional 
ksh_93u+20120801-3.4+deb10u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE9WuPFOAUze9dBH/BY221odkYYP0FAl8cl8AACgkQY221odkY
YP3PnxAAqCzrBi0Z79iGei4fhbJKgKcG8ZsYu26oOan8eEKiUsNGLayu1EVmxAhF
Qn38oXceYk+rQxF6iBlbv5EWPbvUU4GPobArHLNN0aW8w8wwQ4jRCR8n7h9evNMP
SDYZX8TPX9fNjFYRX4Ya/CNfzPlknqwRER0nluM1Nsy/AoLYTzW51ZXX18KBvS0w
De1DyoQ0nvQdlwE6DahTK9gnv2Aqhmk/FzwWrjVLdCIXzJ3MFg1IX2BDixz0S5hT
ivEDMhXoaYEoC0dZvWpwAtZ/+bmF4hn1xf9cErLDhWRhc47i2Q0Wa1LoPsQFI4jr
iQQo/5cy0KgGeMwtch/EzFBiXHZHmnkjlHRnNCITP6POLmuzBrza9+C8VJiuteT9
+eD5bSpE5HtZWfmDkUlSfrN6sB1gUas8bStAXO0E1Vl6gIe2Xv4h9XZzilvQjT9m
EgmTeqYfH31N1k7M6bYleSFsqfhzfqHyLeqsfCgFzeTIqAqC1r1k2ooFUQX/d0GY
QNPgSfdyFsAI2Mb4UsL301aINqWDRnRY05+MCGCVvhEZQUowyB1/VHXb6NpMyqpP
n44FaRrCRY116hsn815ZuwBnkS1Ov0q8U/qHsovoXWrGayzY1lySugG4GVgLlK1M
L5qqUcwtL1FJFM1Y7SpEUlQvy+k6h9bpwWI5vPymRHxCx27SkZc=
=mZy6
-----END PGP SIGNATURE-----

--- End Message ---