diff --git a/SOURCES/ksh-20120801-cve-2019-14868.patch b/SOURCES/ksh-20120801-cve-2019-14868.patch new file mode 100644 index 0000000..b0703f3 --- /dev/null +++ b/SOURCES/ksh-20120801-cve-2019-14868.patch @@ -0,0 +1,52 @@ +diff --git a/src/cmd/ksh93/sh/arith.c b/src/cmd/ksh93/sh/arith.c +--- a/src/cmd/ksh93/sh/arith.c ++++ b/src/cmd/ksh93/sh/arith.c +@@ -513,21 +513,34 @@ Sfdouble_t sh_strnum(register const char *str, char** ptr, int mode) + char base=(shp->inarith?0:10), *last; + if(*str==0) + { +- if(ptr) +- *ptr = (char*)str; +- return(0); +- } +- errno = 0; +- d = strtonll(str,&last,&base,-1); +- if(*last || errno) +- { +- if(!last || *last!='.' || last[1]!='.') +- d = strval(shp,str,&last,arith,mode); +- if(!ptr && *last && mode>0) +- errormsg(SH_DICT,ERROR_exit(1),e_lexbadchar,*last,str); ++ d = 0.0; ++ last = (char*)str; ++ } else { ++ errno = 0; ++ d = strtonll(str,&last,&base,-1); ++ if (*last && !shp->inarith && sh_isstate(SH_INIT)) { ++ // This call is to handle "base#value" literals if we're importing untrusted env vars. ++ errno = 0; ++ d = strtonll(str, &last, NULL, -1); ++ } ++ ++ if(*last || errno) ++ { ++ if (sh_isstate(SH_INIT)) { ++ // Initializing means importing untrusted env vars. Since the string does not appear ++ // to be a recognized numeric literal give up. We can't safely call strval() since ++ // that allows arbitrary expressions which would create a security vulnerability. ++ d = 0.0; ++ } else { ++ if(!last || *last!='.' || last[1]!='.') ++ d = strval(shp,str,&last,arith,mode); ++ if(!ptr && *last && mode>0) ++ errormsg(SH_DICT,ERROR_exit(1),e_lexbadchar,*last,str); ++ } ++ } else if (!d && *str=='-') { ++ d = -0.0; ++ } + } +- else if (!d && *str=='-') +- d = -0.0; + if(ptr) + *ptr = last; + return(d); diff --git a/SPECS/ksh.spec b/SPECS/ksh.spec index 6c4879f..fe1adb8 100644 --- a/SPECS/ksh.spec +++ b/SPECS/ksh.spec @@ -6,7 +6,7 @@ Summary: The Original ATT Korn Shell URL: http://www.kornshell.com/ License: EPL Version: %{releasedate} -Release: 252%{?dist} +Release: 254%{?dist} Source0: http://www.research.att.com/~gsf/download/tgz/ast-ksh.%{release_date}.tgz Source1: http://www.research.att.com/~gsf/download/tgz/INIT.%{release_date}.tgz Source2: kshcomp.conf @@ -214,6 +214,9 @@ Patch87: ksh-20120801-covsfix2.patch # rhbz#1624125 Patch88: ksh-20120801-annocheck.patch +# rhbz#1790547 +Patch89: ksh-20120801-cve-2019-14868.patch + Conflicts: pdksh Requires: coreutils, diffutils, chkconfig BuildRequires: bison @@ -366,6 +369,13 @@ fi %config(noreplace) %{_sysconfdir}/binfmt.d/kshcomp.conf %changelog +* Thu Feb 06 2020 Siteshwar Vashisht - 20120801-254 +- Bump version number to avoid breaking upgrade path + +* Wed Jan 08 2020 Siteshwar Vashisht - 20120801-253 +- Do not evaluate arithmetic expressions from environment variables at startup + Resolves: #1790547 + * Tue Oct 16 2018 Siteshwar Vashisht - 20120801-252 - Use autosetup instead of setup in spec file