import ksh-20120801-254.el8

2020-07-28 10:26:48 -04:00 · 2020-07-28 10:26:48 -04:00 · 0ea2446f21
commit 0ea2446f21
parent 7f824c89f0
2 changed files with 63 additions and 1 deletions
--- a/SOURCES/ksh-20120801-cve-2019-14868.patch
+++ b/SOURCES/ksh-20120801-cve-2019-14868.patch
@ -0,0 +1,52 @@
+diff --git a/src/cmd/ksh93/sh/arith.c b/src/cmd/ksh93/sh/arith.c
+--- a/src/cmd/ksh93/sh/arith.c
+++ b/src/cmd/ksh93/sh/arith.c
+@@ -513,21 +513,34 @@ Sfdouble_t sh_strnum(register const char *str, char** ptr, int mode)
+ 	char base=(shp->inarith?0:10), *last;
+ 	if(*str==0)
+ 	{
+-		if(ptr)
+-			*ptr = (char*)str;
+-		return(0);
+-	}
+-	errno = 0;
+-	d = strtonll(str,&last,&base,-1);
+-	if(*last || errno)
+-	{
+-		if(!last || *last!='.' || last[1]!='.')
+-			d = strval(shp,str,&last,arith,mode);
+-		if(!ptr && *last && mode>0)
+-			errormsg(SH_DICT,ERROR_exit(1),e_lexbadchar,*last,str);
+		d = 0.0;
+		last = (char*)str;
+	} else {
+		errno = 0;
+		d = strtonll(str,&last,&base,-1);
+		if (*last && !shp->inarith && sh_isstate(SH_INIT)) {
+			// This call is to handle "base#value" literals if we're importing untrusted env vars.
+			errno = 0;
+			d = strtonll(str, &last, NULL, -1);
+		}
+
+		if(*last || errno)
+		{
+			if (sh_isstate(SH_INIT)) {
+				// Initializing means importing untrusted env vars. Since the string does not appear
+				// to be a recognized numeric literal give up. We can't safely call strval() since
+				// that allows arbitrary expressions which would create a security vulnerability.
+				d = 0.0;
+			} else {
+				if(!last || *last!='.' || last[1]!='.')
+					d = strval(shp,str,&last,arith,mode);
+				if(!ptr && *last && mode>0)
+					errormsg(SH_DICT,ERROR_exit(1),e_lexbadchar,*last,str);
+			}
+		} else if (!d && *str=='-') {
+			d = -0.0;
+		}
+ 	}
+-	else if (!d && *str=='-')
+-		d = -0.0;
+ 	if(ptr)
+ 		*ptr = last;
+ 	return(d);
--- a/SPECS/ksh.spec
+++ b/SPECS/ksh.spec
@ -6,7 +6,7 @@ Summary:      The Original ATT Korn Shell
 URL:          http://www.kornshell.com/
 License:      EPL
 Version:      %{releasedate}
-Release:      252%{?dist}
+Release:      254%{?dist}
 Source0:      http://www.research.att.com/~gsf/download/tgz/ast-ksh.%{release_date}.tgz
 Source1:      http://www.research.att.com/~gsf/download/tgz/INIT.%{release_date}.tgz
 Source2:      kshcomp.conf
@ -214,6 +214,9 @@ Patch87: ksh-20120801-covsfix2.patch
 # rhbz#1624125
 Patch88: ksh-20120801-annocheck.patch

+# rhbz#1790547
+Patch89: ksh-20120801-cve-2019-14868.patch
+
 Conflicts:    pdksh
 Requires: coreutils, diffutils, chkconfig
 BuildRequires: bison
@ -366,6 +369,13 @@ fi
 %config(noreplace) %{_sysconfdir}/binfmt.d/kshcomp.conf

 %changelog
+* Thu Feb 06 2020 Siteshwar Vashisht <svashisht@redhat.com> - 20120801-254
+- Bump version number to avoid breaking upgrade path
+
+* Wed Jan 08 2020 Siteshwar Vashisht <svashisht@redhat.com> - 20120801-253
+- Do not evaluate arithmetic expressions from environment variables at startup
+  Resolves: #1790547
+
 * Tue Oct 16 2018 Siteshwar Vashisht <svashisht@redhat.com> - 20120801-252
 - Use autosetup instead of setup in spec file