From 270fa2c70bf331786e73dd83f56499edda6fa397 Mon Sep 17 00:00:00 2001 From: Vincent Mihalkovic Date: Mon, 21 Jul 2025 12:40:02 +0200 Subject: [PATCH] Fix arbitrary command execution/code injection bugs Resolves: RHEL-99063 --- ksh-1.0.12-security.patch | 807 ++++++++++++++++++++++++++++++++++++++ ksh.spec | 9 +- 2 files changed, 815 insertions(+), 1 deletion(-) create mode 100644 ksh-1.0.12-security.patch diff --git a/ksh-1.0.12-security.patch b/ksh-1.0.12-security.patch new file mode 100644 index 0000000..d164312 --- /dev/null +++ b/ksh-1.0.12-security.patch @@ -0,0 +1,807 @@ +From 970812e39c236ff385e440ac6d458d196c237667 Mon Sep 17 00:00:00 2001 +From: Johnothan King +Date: Fri, 13 Jun 2025 16:29:15 -0700 +Subject: [PATCH] Fix arbitrary command execution/code injection bugs (#866) + +* Security patch part 1 + +Never use $SHELL or sh.shpath when executing shebang-less scripts + +- sh_ntfork(): Removed a misguided optimization that causes ksh to + run scripts without a shebang using the binary pointed to by + either $SHELL or sh.shpath. This has a few problems: + - The shell in sh.shpath or more disastrously in $SHELL has + no guarantee of being identical to the currently running + copy of ksh93 or even existing at all, so using either is + not only bogus, but potentially dangerous. + - The optimization has no ability to pass down the current + POSIX mode status to the script. + - It's only activated for virtual subshells, resulting in + arbitrarily different behavior depending on whether or + not we're in a virtual subshell. + - It does some weird stuff with /dev/fd that seems superfluous, + and also lacks any SHOPT_DEVFD if directive. (Additionally, + if it did have one, that stat(2) would likely become mere + dead code and a waste of context switches.) + +The optimization was probably intended to be used for running a +shebang-less script via posix_spawn, which is ostensibly faster +than fork. But this simply isn't possible without risking running +the shebang-less script in a shell environment different from +the current one. (If ksh were updated by the package manager +while ksh is still running, this optimization would cause the +script to run via the new version, rather than the currently +running older version.) The optimization is unfixable by design, +and as such must be removed to ensure correct behavior. + +* Security patch part 2 (re: bae02c39) + +rm setuid script code leading to arbitrary command execution + +Changes: +- Delete code for setuid scripts on "Solaris 2.5+" because it + allows for arbitrary command execution. One millisecond you think + you're launching ksh, the next you're at the mercy of a hijacker. + Example: + SHELL=/bin/ppmflash /bin/ksh -l /dev/fd/0 < <(true) + MANPATH: usage: MANPATH flashfactor [ppmfile] + flashfactor: 0.0 = original picture, 1.0 = total whiteout + The pathshell() code doesn't *seem* to be vulnerable to privilege + escalation, but who knows (cf. CVE-2019-14868; this might need its + own CVE 2025. Maybe pathshell() should be scrapped entirely???) +- Add fickle but functional regression test (you may need to pass + KSH=/bin/ksh or some such to get it to fail against vulnerable + versions of ksh). The test uses a login shell via the -l option, + but the bug *does not* need a login shell. See: + https://github.com/ksh93/ksh/issues/874#issue-3128739066 + Modify the execveat reproducer to pass along environ (which + could include a hijacked SHELL), and you're in for a BAD time. + +Maybe the deleted code (introduced sometime within the period of 1995 +and 1999) was relevant to some Solaris-specific use case or something. +Maybe the erasure even causes an incompatibility. But that code must +go; it's far too dangerous to execv whatever the hell pathshell gives +us during **init**. (Need I bring CVE-2019-14868 back to remembrance +again? This bug has similarities to that one.) + +FWIW, all of the regression tests in the ksh and modernish suites pass +with this patch applied. + +* Security patch part 3 + +Delete pathshell() and replace uses of it with safer equivalents + +This function is a dangerous attack vector that ought not remain +in the code base. The value returned by astconf() is doubtless +safer than what is returned by pathshell(). + +* Other changes + +The libast pathprog function and prog feature test are now unused, +and are removed. +--- + src/cmd/ksh93/include/shell.h | 3 - + src/cmd/ksh93/sh/init.c | 33 +-------- + src/cmd/ksh93/sh/main.c | 21 ------ + src/cmd/ksh93/sh/path.c | 2 - + src/cmd/ksh93/sh/xec.c | 20 ------ + src/cmd/ksh93/tests/basic.sh | 28 ++++++++ + src/lib/libast/Mamfile | 29 +------- + src/lib/libast/comp/omitted.c | 2 +- + src/lib/libast/comp/system.c | 48 ------------- + src/lib/libast/features/prog | 12 ---- + src/lib/libast/include/ast.h | 2 - + src/lib/libast/man/compat.3 | 1 - + src/lib/libast/man/path.3 | 13 ---- + src/lib/libast/man/proc.3 | 5 +- + src/lib/libast/misc/cmdarg.c | 2 +- + src/lib/libast/misc/procopen.c | 2 +- + src/lib/libast/path/pathprog.c | 124 -------------------------------- + src/lib/libast/path/pathshell.c | 115 ----------------------------- + 18 files changed, 37 insertions(+), 425 deletions(-) + delete mode 100644 src/lib/libast/comp/system.c + delete mode 100644 src/lib/libast/features/prog + delete mode 100644 src/lib/libast/path/pathprog.c + delete mode 100644 src/lib/libast/path/pathshell.c + +diff --git a/src/cmd/ksh93/include/shell.h b/src/cmd/ksh93/include/shell.h +index 0613ceb..9a1b00e 100644 +--- a/src/cmd/ksh93/include/shell.h ++++ b/src/cmd/ksh93/include/shell.h +@@ -213,8 +213,6 @@ struct sh_scoped + char **otrapcom; /* save parent EXIT and signals for v=$(trap) */ + void *timetrap; + struct Ufunction *real_fun; /* current 'function name' function */ +- int repl_index; +- char *repl_arg; + }; + + struct limits +@@ -255,7 +253,6 @@ struct Shell_s + Namval_t *bltin_nodes; + Namval_t *bltin_cmds; + History_t *hist_ptr; +- char *shpath; + char *user; + char **sigmsg; + char **login_files; +diff --git a/src/cmd/ksh93/sh/init.c b/src/cmd/ksh93/sh/init.c +index f4daaac..58c4e09 100644 +--- a/src/cmd/ksh93/sh/init.c ++++ b/src/cmd/ksh93/sh/init.c +@@ -1355,33 +1355,6 @@ Shell_t *sh_init(int argc,char *argv[], Shinit_f userinit) + } + sh.shlvl++; + nv_offattr(SHLVL,NV_IMPORT); +-#if SHOPT_SPAWN +- { +- /* +- * try to find the pathname for this interpreter +- * try using environment variable _ or argv[0] +- */ +- char *cp=nv_getval(L_ARGNOD); +- char buff[PATH_MAX+1]; +- sh.shpath = 0; +- if((n = pathprog(NULL, buff, sizeof(buff))) > 0 && n <= sizeof(buff)) +- sh.shpath = sh_strdup(buff); +- else if((cp && (sh_type(cp)&SH_TYPE_SH)) || (argc>0 && strchr(cp= *argv,'/'))) +- { +- if(*cp=='/') +- sh.shpath = sh_strdup(cp); +- else if(cp = nv_getval(PWDNOD)) +- { +- int offset = stktell(sh.stk); +- sfputr(sh.stk,cp,'/'); +- sfputr(sh.stk,argv[0],-1); +- pathcanon(stkptr(sh.stk,offset),PATH_DOTDOT); +- sh.shpath = sh_strdup(stkptr(sh.stk,offset)); +- stkseek(sh.stk,offset); +- } +- } +- } +-#endif + nv_putval(IFSNOD,(char*)e_sptbnl,NV_RDONLY); + astconfdisc(newconf); + #if SHOPT_TIMEOUT +@@ -1394,7 +1367,6 @@ Shell_t *sh_init(int argc,char *argv[], Shinit_f userinit) + #endif + if(argc>0) + { +- int dolv_index; + /* check for restricted shell */ + if(type&SH_TYPE_RESTRICTED) + sh_onoption(SH_RESTRICTED); +@@ -1406,10 +1378,7 @@ Shell_t *sh_init(int argc,char *argv[], Shinit_f userinit) + sh_done(0); + } + opt_info.disc = 0; +- dolv_index = (argc - 1) - sh.st.dolc; +- sh.st.dolv = argv + dolv_index; +- sh.st.repl_index = dolv_index; +- sh.st.repl_arg = argv[dolv_index]; ++ sh.st.dolv = argv + (argc - 1) - sh.st.dolc; + sh.st.dolv[0] = argv[0]; + if(sh.st.dolc < 1) + { +diff --git a/src/cmd/ksh93/sh/main.c b/src/cmd/ksh93/sh/main.c +index 38ae366..712310e 100644 +--- a/src/cmd/ksh93/sh/main.c ++++ b/src/cmd/ksh93/sh/main.c +@@ -247,33 +247,12 @@ int sh_main(int ac, char *av[], Shinit_f userinit) + /* open stream should have been passed into shell */ + if(strmatch(name,e_devfdNN)) + { +-#if !_WINIX +- char *cp; +- int type; +-#endif + fdin = (int)strtol(name+8, NULL, 10); + if(fstat(fdin,&statb)<0) + { + errormsg(SH_DICT,ERROR_system(1),e_open,name); + UNREACHABLE(); + } +-#if !_WINIX +- /* +- * try to undo effect of Solaris 2.5+ +- * change for argv for setuid scripts +- */ +- if(sh.st.repl_index > 0) +- av[sh.st.repl_index] = sh.st.repl_arg; +- if(((type = sh_type(cp = av[0])) & SH_TYPE_SH) && (name = nv_getval(L_ARGNOD)) && (!((type = sh_type(cp = name)) & SH_TYPE_SH))) +- { +- av[0] = (type & SH_TYPE_LOGIN) ? cp : path_basename(cp); +- /* exec to change $0 for ps */ +- execv(pathshell(),av); +- /* exec fails */ +- sh.st.dolv[0] = av[0]; +- fixargs(sh.st.dolv,1); +- } +-#endif + name = av[0]; + sh_offoption(SH_VERBOSE); + sh_offoption(SH_XTRACE); +diff --git a/src/cmd/ksh93/sh/path.c b/src/cmd/ksh93/sh/path.c +index 85f44b5..7728df0 100644 +--- a/src/cmd/ksh93/sh/path.c ++++ b/src/cmd/ksh93/sh/path.c +@@ -1195,8 +1195,6 @@ pid_t path_spawn(const char *opath,char **argv, char **envp, Pathcomp_t *libpath + errno = ENOEXEC; + if(spawn) + { +- if(sh.subshell) +- return -1; + do + { + if((pid=fork())>0) +diff --git a/src/cmd/ksh93/sh/xec.c b/src/cmd/ksh93/sh/xec.c +index ca67142..003a93c 100644 +--- a/src/cmd/ksh93/sh/xec.c ++++ b/src/cmd/ksh93/sh/xec.c +@@ -3417,26 +3417,6 @@ static pid_t sh_ntfork(const Shnode_t *t,char *argv[],int *jobid,int topfd) + job_fork(-1); + jobfork = 1; + spawnpid = path_spawn(path,argv,arge,pp,(grp<<1)|1); +- if(spawnpid < 0 && errno==ENOEXEC) +- { +- char *devfd; +- int fd = open(path,O_RDONLY); +- argv[-1] = argv[0]; +- argv[0] = path; +- if(fd>=0) +- { +- struct stat statb; +- sfprintf(sh.strbuf,"/dev/fd/%d",fd); +- if(stat(devfd=sfstruse(sh.strbuf),&statb)>=0) +- argv[0] = devfd; +- } +- if(!sh.shpath) +- sh.shpath = pathshell(); +- spawnpid = path_spawn(sh.shpath,&argv[-1],arge,pp,(grp<<1)|1); +- if(fd>=0) +- close(fd); +- argv[0] = argv[-1]; +- } + fail: + if(jobfork && spawnpid<0) + job_fork(-2); +diff --git a/src/cmd/ksh93/tests/basic.sh b/src/cmd/ksh93/tests/basic.sh +index ea83b6b..0b02f7c 100755 +--- a/src/cmd/ksh93/tests/basic.sh ++++ b/src/cmd/ksh93/tests/basic.sh +@@ -1019,5 +1019,33 @@ do + done + unset testcode + ++# ====== ++# Hijacking ksh93 via $SHELL for arbitrary command execution during initialization. ++# https://github.com/ksh93/ksh/issues/874 ++bindir=$tmp/dir.$RANDOM/bin ++mkdir -p "$bindir" ++echo $'#!/bin/sh\necho "CODE INJECTION"' > "$bindir"/hijack_sh ++chmod +x "$bindir"/hijack_sh ++got=$(set +x; SHELL="$bindir"/hijack_sh "$SHELL" -l <(echo) 2>&1) ++[[ $got =~ "CODE INJECTION" ]] && err_exit 'ksh93 is vulnerable to being hijacked during init via $SHELL' \ ++ "(got $(printf %q "$got"))" ++ ++# Hijacking ksh93 shebang-less scripts for arbitrary command execution. ++# https://github.com/ksh93/ksh/pull/866 ++export bindir ++print 'echo GOOD' > "$bindir/dummy.sh" ++chmod +x "$bindir/dummy.sh" ++cp "$SHELL" "$bindir/hijack_sh" ++exp=$'GOOD\nGOOD' ++got=$("$bindir/hijack_sh" -c $'print $\'\#!/bin/sh\necho HIJACKED\' > "$bindir/hijack_shell" ++chmod +x "$bindir/hijack_shell" ++rm "$bindir/hijack_sh" ++cp "$bindir/hijack_shell" "$bindir/hijack_sh" ++("$bindir/dummy.sh"); "$bindir/dummy.sh"; :') ++rm -r "$bindir" ++unset bindir ++[[ $exp == $got ]] || err_exit 'ksh93 shebang-less scripts are vulnerable to being hijacked for arbitrary code execution' \ ++ "(exp $(printf %q "$exp"), got $(printf %q "$got"))" ++ + # ====== + exit $((Errors<125?Errors:125)) +diff --git a/src/lib/libast/Mamfile b/src/lib/libast/Mamfile +index 0a35576..047ab0c 100644 +--- a/src/lib/libast/Mamfile ++++ b/src/lib/libast/Mamfile +@@ -972,12 +972,6 @@ make install + done path/pathbin.c + exec - ${CC} ${mam_cc_FLAGS} ${CCFLAGS} -I. -Icomp -Iinclude -Istd -c path/pathbin.c + done pathbin.o generated +- make pathshell.o +- make path/pathshell.c +- prev include/ast.h +- done path/pathshell.c +- exec - ${CC} ${mam_cc_FLAGS} ${CCFLAGS} -I. -Icomp -Iinclude -Istd -c path/pathshell.c +- done pathshell.o generated + make pathcd.o + make path/pathcd.c + make include/stk.h implicit +@@ -988,17 +982,6 @@ make install + done path/pathcd.c + exec - ${CC} ${mam_cc_FLAGS} ${CCFLAGS} -I. -Icomp -Iinclude -Istd -c path/pathcd.c + done pathcd.o generated +- make pathprog.o +- make path/pathprog.c +- make FEATURE/prog implicit +- prev features/prog +- exec - iffe ${IFFEFLAGS} -v -X ast -X std -c "${CC} ${mam_cc_FLAGS} ${CCFLAGS} ${LDFLAGS}" run features/prog +- done FEATURE/prog generated +- prev include/ast_windows.h +- prev include/ast.h +- done path/pathprog.c +- exec - ${CC} ${mam_cc_FLAGS} ${CCFLAGS} -I. -Icomp -Iinclude -Istd -c path/pathprog.c +- done pathprog.o generated + make ftwalk.o + make misc/ftwalk.c + make include/ftwalk.h implicit +@@ -2574,14 +2557,6 @@ make install + done comp/mount.c + exec - ${CC} ${mam_cc_FLAGS} ${CCFLAGS} -I. -Icomp -Iinclude -Istd -c comp/mount.c + done mount.o generated +- make system.o +- make comp/system.c +- prev ast_map.h +- prev include/proc.h +- prev include/ast.h +- done comp/system.c +- exec - ${CC} ${mam_cc_FLAGS} ${CCFLAGS} -I. -Icomp -Iinclude -Istd -c comp/system.c +- done system.o generated + make iblocks.o + make port/iblocks.c + prev include/ls.h +@@ -4425,9 +4400,9 @@ make install + exec - ${CC} ${mam_cc_FLAGS} ${CCFLAGS} -I. -Icomp -Iinclude -Istd -c vmalloc/vmgetmem.c + done vmgetmem.o generated + exec - ${AR} rc libast.a state.o opendir.o readdir.o rewinddir.o seekdir.o telldir.o getcwd.o fastfind.o hashalloc.o hashdump.o hashfree.o hashlast.o hashlook.o hashscan.o hashsize.o hashview.o hashwalk.o memhash.o memsum.o strhash.o strkey.o strsum.o stracmp.o strnacmp.o ccmap.o ccmapid.o ccnative.o chresc.o chrtoi.o +- exec - ${AR} rc libast.a streval.o strexpr.o strmatch.o strcopy.o modei.o modex.o strmode.o strlcat.o strlcpy.o strlook.o strncopy.o strsearch.o strpsearch.o stresc.o stropt.o strtape.o strpcmp.o strnpcmp.o strvcmp.o strnvcmp.o tok.o tokline.o tokscan.o pathaccess.o pathcat.o pathcanon.o pathcheck.o pathpath.o pathexists.o pathfind.o pathicase.o pathkey.o pathprobe.o pathrepl.o pathnative.o pathposix.o pathtemp.o pathtmp.o pathstat.o pathgetlink.o pathsetlink.o pathbin.o pathshell.o pathcd.o pathprog.o ftwalk.o ftwflags.o fts.o astintercept.o conformance.o getenv.o setenviron.o optget.o optjoin.o optesc.o optctx.o strsort.o struniq.o magic.o mime.o mimetype.o signal.o sigflag.o systrace.o error.o errorf.o errormsg.o errorx.o localeconv.o setlocale.o translate.o catopen.o iconv.o lc.o lctab.o mc.o base64.o recfmt.o recstr.o reclen.o fmtrec.o fmtbase.o fmtbuf.o fmtclock.o fmtdev.o fmtelapsed.o fmterror.o fmtesc.o fmtfmt.o fmtfs.o fmtident.o fmtint.o fmtip4.o fmtip6.o fmtls.o fmtmatch.o fmtmode.o fmtnum.o fmtperm.o fmtre.o fmttime.o ++ exec - ${AR} rc libast.a streval.o strexpr.o strmatch.o strcopy.o modei.o modex.o strmode.o strlcat.o strlcpy.o strlook.o strncopy.o strsearch.o strpsearch.o stresc.o stropt.o strtape.o strpcmp.o strnpcmp.o strvcmp.o strnvcmp.o tok.o tokline.o tokscan.o pathaccess.o pathcat.o pathcanon.o pathcheck.o pathpath.o pathexists.o pathfind.o pathicase.o pathkey.o pathprobe.o pathrepl.o pathnative.o pathposix.o pathtemp.o pathtmp.o pathstat.o pathgetlink.o pathsetlink.o pathbin.o pathcd.o ftwalk.o ftwflags.o fts.o astintercept.o conformance.o getenv.o setenviron.o optget.o optjoin.o optesc.o optctx.o strsort.o struniq.o magic.o mime.o mimetype.o signal.o sigflag.o systrace.o error.o errorf.o errormsg.o errorx.o localeconv.o setlocale.o translate.o catopen.o iconv.o lc.o lctab.o mc.o base64.o recfmt.o recstr.o reclen.o fmtrec.o fmtbase.o fmtbuf.o fmtclock.o fmtdev.o fmtelapsed.o fmterror.o fmtesc.o fmtfmt.o fmtfs.o fmtident.o fmtint.o fmtip4.o fmtip6.o fmtls.o fmtmatch.o fmtmode.o fmtnum.o fmtperm.o fmtre.o fmttime.o + exec - ${AR} rc libast.a fmtuid.o fmtgid.o fmtsignal.o fmtscale.o fmttmx.o fmttv.o fmtversion.o strelapsed.o strperm.o struid.o strgid.o strtoip4.o strtoip6.o stack.o stk.o swapget.o swapmem.o swapop.o swapput.o sigdata.o sigcrit.o sigunblock.o procopen.o procclose.o procrun.o procfree.o tmdate.o tmequiv.o tmfix.o tmfmt.o tmform.o tmgoff.o tminit.o tmleap.o tmlex.o tmlocale.o tmmake.o tmpoff.o tmscan.o tmsleep.o tmtime.o tmtype.o tmweek.o tmword.o tmzone.o tmxdate.o tmxduration.o tmxfmt.o tmxgettime.o tmxleap.o tmxmake.o tmxscan.o tmxsettime.o tmxsleep.o tmxtime.o tmxtouch.o tvcmp.o tvgettime.o tvsettime.o tvsleep.o tvtouch.o cmdarg.o vecargs.o vecfile.o vecfree.o vecload.o vecstring.o univdata.o touch.o mnt.o debug.o memccpy.o memchr.o memcmp.o memcpy.o memdup.o memmove.o memset.o mkdir.o mkfifo.o mknod.o rmdir.o remove.o rename.o link.o unlink.o strdup.o strchr.o strrchr.o strstr.o strtod.o strtold.o strtol.o strtoll.o strtoul.o strtoull.o strton.o strtonll.o strntod.o strntold.o strnton.o +- exec - ${AR} rc libast.a strntonll.o strntol.o strntoll.o strntoul.o strntoull.o strcasecmp.o strncasecmp.o strerror.o mktemp.o tmpnam.o fsync.o execlp.o execve.o execvp.o execvpe.o spawnveg.o killpg.o getlogin.o putenv.o setenv.o unsetenv.o lstat.o statvfs.o eaccess.o gross.o omitted.o readlink.o symlink.o getpgrp.o setpgid.o setsid.o fcntl.o open.o atexit.o getdents.o getwd.o dup2.o errno.o getgroups.o mount.o system.o iblocks.o modedata.o tmdata.o memfatal.o sfkeyprintf.o sfdcdio.o sfdcdos.o sfdcfilter.o sfdcseekable.o sfdcslow.o sfdcsubstr.o sfdctee.o sfdcunion.o sfdcmore.o sfdcprefix.o wc.o wc2utf8.o basename.o closelog.o dirname.o fmtmsglib.o fnmatch.o ftw.o getdate.o getsubopt.o glob.o nftw.o openlog.o re_comp.o resolvepath.o realpath.o regcmp.o regexp.o setlogmask.o strftime.o strptime.o swab.o syslog.o tempnam.o wordexp.o mktime.o regalloc.o regclass.o regcoll.o regcomp.o regcache.o regdecomp.o regerror.o regexec.o regfatal.o reginit.o ++ exec - ${AR} rc libast.a strntonll.o strntol.o strntoll.o strntoul.o strntoull.o strcasecmp.o strncasecmp.o strerror.o mktemp.o tmpnam.o fsync.o execlp.o execve.o execvp.o execvpe.o spawnveg.o killpg.o getlogin.o putenv.o setenv.o unsetenv.o lstat.o statvfs.o eaccess.o gross.o omitted.o readlink.o symlink.o getpgrp.o setpgid.o setsid.o fcntl.o open.o atexit.o getdents.o getwd.o dup2.o errno.o getgroups.o mount.o iblocks.o modedata.o tmdata.o memfatal.o sfkeyprintf.o sfdcdio.o sfdcdos.o sfdcfilter.o sfdcseekable.o sfdcslow.o sfdcsubstr.o sfdctee.o sfdcunion.o sfdcmore.o sfdcprefix.o wc.o wc2utf8.o basename.o closelog.o dirname.o fmtmsglib.o fnmatch.o ftw.o getdate.o getsubopt.o glob.o nftw.o openlog.o re_comp.o resolvepath.o realpath.o regcmp.o regexp.o setlogmask.o strftime.o strptime.o swab.o syslog.o tempnam.o wordexp.o mktime.o regalloc.o regclass.o regcoll.o regcomp.o regcache.o regdecomp.o regerror.o regexec.o regfatal.o reginit.o + exec - ${AR} rc libast.a regnexec.o regsubcomp.o regsubexec.o regsub.o regrecord.o regrexec.o regstat.o dtclose.o dtdisc.o dthash.o dtlist.o dtmethod.o dtopen.o dtstat.o dtstrhash.o dttree.o dtuser.o dtview.o dtwalk.o dtnew.o dtcomp.o sfclose.o sfclrlock.o sfdisc.o sfdlen.o sfexcept.o sfgetl.o sfgetu.o sfcvt.o sfecvt.o sffcvt.o sfextern.o sffilbuf.o sfflsbuf.o sfprints.o sfgetd.o sfgetr.o sfllen.o sfmode.o sfmove.o sfnew.o sfpkrd.o sfnotify.o sfnputc.o sfopen.o sfpeek.o sfpoll.o sfpool.o sfpopen.o sfprintf.o sfputd.o sfputl.o sfputr.o sfputu.o sfrd.o sfread.o sfreserve.o sfscanf.o sfseek.o sfset.o sfsetbuf.o sfsetfd.o sfsize.o sfsk.o sfstack.o sfstrtod.o sfsync.o sfswap.o sftable.o sftell.o sftmp.o sfungetc.o sfvprintf.o sfvscanf.o sfwr.o sfwrite.o sfpurge.o sfraise.o sfwalk.o sfgetm.o sfputm.o sfresize.o _sfclrerr.o _sfeof.o _sferror.o _sffileno.o _sfopen.o _sfstacked.o _sfvalue.o _sfgetc.o _sfgetl.o _sfgetl2.o _sfgetu.o _sfgetu2.o _sfdlen.o _sfllen.o _sfslen.o _sfulen.o _sfputc.o _sfputd.o _sfputl.o _sfputm.o + exec - ${AR} rc libast.a _sfputu.o clearerr.o fclose.o fdopen.o fflush.o fgetc.o fgetpos.o fgets.o fopen.o fprintf.o fpurge.o fputs.o fread.o freopen.o fscanf.o fseek.o fseeko.o fsetpos.o ftell.o ftello.o fwrite.o getw.o pclose.o popen.o printf.o putchar.o puts.o putw.o rewind.o scanf.o setbuf.o setbuffer.o setlinebuf.o setvbuf.o snprintf.o sprintf.o sscanf.o asprintf.o vasprintf.o tmpfile.o ungetc.o vfprintf.o vfscanf.o vprintf.o vscanf.o vsnprintf.o vsprintf.o vsscanf.o _doprnt.o _doscan.o _filbuf.o _flsbuf.o _stdopen.o _stdprintf.o _stdscanf.o _stdsprnt.o _stdvbuf.o _stdvsnprnt.o _stdvsprnt.o _stdvsscn.o fgetwc.o fwprintf.o putwchar.o vfwscanf.o wprintf.o fgetws.o fwscanf.o swprintf.o vswprintf.o wscanf.o fputwc.o getwc.o swscanf.o vswscanf.o fputws.o getwchar.o ungetwc.o vwprintf.o fwide.o putwc.o vfwprintf.o vwscanf.o stdio_c99.o fcloseall.o fmemopen.o getdelim.o getline.o frexp.o frexpl.o astcopy.o + exec - ${AR} rc libast.a astconf.o astdynamic.o astquery.o astwinsize.o conftab.o aststatic.o getopt.o getoptl.o aso.o asolock.o asometh.o asorelax.o aso-sem.o aso-fcntl.o vmbest.o vmclear.o vmclose.o vmdcheap.o vmdebug.o vmdisc.o vmlast.o vmopen.o vmpool.o vmprivate.o vmprofile.o vmregion.o vmsegment.o vmset.o vmstat.o vmstrdup.o vmtrace.o vmwalk.o vmmopen.o malloc.o vmgetmem.o +diff --git a/src/lib/libast/comp/omitted.c b/src/lib/libast/comp/omitted.c +index 447990d..3631d39 100644 +--- a/src/lib/libast/comp/omitted.c ++++ b/src/lib/libast/comp/omitted.c +@@ -504,7 +504,7 @@ runve(int mode, const char* path, char* const* argv, char* const* envv) + p = v; + *p++ = (char*)path; + *p++ = (char*)path; +- path = (const char*)pathshell(); ++ path = "/bin/sh.exe"; + if (*argv) + argv++; + while (*p++ = (char*)*argv++); +diff --git a/src/lib/libast/comp/system.c b/src/lib/libast/comp/system.c +deleted file mode 100644 +index 64fa7e7..0000000 +--- a/src/lib/libast/comp/system.c ++++ /dev/null +@@ -1,48 +0,0 @@ +-/*********************************************************************** +-* * +-* This software is part of the ast package * +-* Copyright (c) 1985-2011 AT&T Intellectual Property * +-* Copyright (c) 2020-2023 Contributors to ksh 93u+m * +-* and is licensed under the * +-* Eclipse Public License, Version 2.0 * +-* * +-* A copy of the License is available at * +-* https://www.eclipse.org/org/documents/epl-2.0/EPL-2.0.html * +-* (with md5 checksum 84283fa8859daf213bdda5a9f8d1be1d) * +-* * +-* Glenn Fowler * +-* David Korn * +-* Phong Vo * +-* Martijn Dekker * +-* Johnothan King * +-* * +-***********************************************************************/ +-/* +- * AST library system(3) +- */ +- +-#define system ______system +- +-#define _STDLIB_H_ 1 /* UWIN workaround */ +- +-#include +-#include +- +-#undef system +- +-#undef _def_map_ast +-#include +- +-extern int +-system(const char* cmd) +-{ +- char* sh[4]; +- +- if (!cmd) +- return !eaccess(pathshell(), X_OK); +- sh[0] = "sh"; +- sh[1] = "-c"; +- sh[2] = (char*)cmd; +- sh[3] = 0; +- return procrun(NULL, sh, 0); +-} +diff --git a/src/lib/libast/features/prog b/src/lib/libast/features/prog +deleted file mode 100644 +index 365ce88..0000000 +--- a/src/lib/libast/features/prog ++++ /dev/null +@@ -1,12 +0,0 @@ +-lib getexecname,_NSGetExecutablePath +- +-tst run{ +- for p in /proc/self/exe /proc/self/path/a.out +- do if test -e $p +- then echo "#define _PROC_PROG \"$p\"" +- break +- fi +- done +-}end +- +-_hdr_macho_o_dyld = hdr mach-o/dyld +diff --git a/src/lib/libast/include/ast.h b/src/lib/libast/include/ast.h +index 5ec170b..6271677 100644 +--- a/src/lib/libast/include/ast.h ++++ b/src/lib/libast/include/ast.h +@@ -373,11 +373,9 @@ extern char* pathpath_20100601(const char*, const char*, int, char*, size_t); + extern size_t pathposix(const char*, char*, size_t); + extern char* pathprobe(char*, char*, const char*, const char*, const char*, int); + extern char* pathprobe_20100601(const char*, const char*, const char*, int, char*, size_t, char*, size_t); +-extern size_t pathprog(const char*, char*, size_t); + extern char* pathrepl(char*, const char*, const char*); + extern char* pathrepl_20100601(char*, size_t, const char*, const char*); + extern int pathsetlink(const char*, const char*); +-extern char* pathshell(void); + extern char* pathtemp(char*, size_t, const char*, const char*, int*); + extern char* pathtmp(char*, const char*, const char*, int*); + extern char* setenviron(const char*); +diff --git a/src/lib/libast/man/compat.3 b/src/lib/libast/man/compat.3 +index 7baf287..47c344f 100644 +--- a/src/lib/libast/man/compat.3 ++++ b/src/lib/libast/man/compat.3 +@@ -77,7 +77,6 @@ double strtod(const char*, char**); + long strtol(const char*, char**, int); + int symlink(const char*, const char*); + long sysconf(int); +-int system(const char*); + char* tmpnam(char*); + int unlink(const char*); + int waitpid(pid_t, int*, int); +diff --git a/src/lib/libast/man/path.3 b/src/lib/libast/man/path.3 +index 8060763..b9fdacf 100644 +--- a/src/lib/libast/man/path.3 ++++ b/src/lib/libast/man/path.3 +@@ -57,7 +57,6 @@ char* pathpath(char* \fIpath\fP, const char* \fIp\fP, const char* \fIa\fP, i + char* pathprobe(char* \fIpath\fP, char* \fIattr\fP, const char* \fIlang\fP, const char* \fItool\fP, const char* \fIproc\fP, int \fIop\fP); + char* pathrepl(char* \fIpath\fP, const char* \fImatch\fP, const char* \fIreplace\fP); + int pathsetlink(const char* \fItext\fP, char* \fIname\fP); +-char* pathshell(void); + int pathstat(const char* \fIpath\fP, struct stat* \fIst\fP); + char* pathtemp(char* \fIpath\fP, const char* \fIdir\fP, const char* \fIpfx\fP); + .EE +@@ -361,18 +360,6 @@ above for weird + .IR universe (1) + interactions hidden by this routine. + .PP +-.L pathshell +-returns a pointer to the pathname for the shell for the current process. +-The +-.L SHELL +-environment variable is first consulted, but is rejected under suspicious +-ownership/setuid conditions of if it seems to point to +-.IR csh (1) ; +-otherwise +-.L confstr(_CS_SHELL,...) +-is used. +-A valid string is always returned. +-.PP + .L pathstat + first tries + .LI stat( path,st ) +diff --git a/src/lib/libast/man/proc.3 b/src/lib/libast/man/proc.3 +index a338130..9aa66e9 100644 +--- a/src/lib/libast/man/proc.3 ++++ b/src/lib/libast/man/proc.3 +@@ -80,8 +80,9 @@ If + .I command + is + .L 0 +-then the current shell is used (see +-.IR pathshell (3)). ++then the shell returned by ++.IR astconf (3) ++is used. + If + .I envv + is not +diff --git a/src/lib/libast/misc/cmdarg.c b/src/lib/libast/misc/cmdarg.c +index bb4a4e3..6f8b24f 100644 +--- a/src/lib/libast/misc/cmdarg.c ++++ b/src/lib/libast/misc/cmdarg.c +@@ -128,7 +128,7 @@ cmdopen_20120411(char** argv, int argmax, int size, const char* argpat, Cmddisc_ + x = ARG_MAX; + if (size <= 0 || size > x) + size = x; +- sh = pathshell(); ++ sh = astconf("SH", NULL, NULL); + m = n + (argc + 4) * sizeof(char**) + strlen(sh) + 1; + m = roundof(m, sizeof(char**)); + if (size < m) +diff --git a/src/lib/libast/misc/procopen.c b/src/lib/libast/misc/procopen.c +index 444f612..7482fcf 100644 +--- a/src/lib/libast/misc/procopen.c ++++ b/src/lib/libast/misc/procopen.c +@@ -722,7 +722,7 @@ procopen(const char* cmd, char** argv, char** envv, long* modv, int flags) + *p = path; + *--p = "sh"; + } +- strcpy(env + 2, (flags & PROC_PARANOID) ? astconf("SH", NULL, NULL) : pathshell()); ++ strcpy(env + 2, astconf("SH", NULL, NULL)); + if (forked || (flags & PROC_OVERLAY)) + execve(env + 2, p, environ); + #if _use_spawnveg +diff --git a/src/lib/libast/path/pathprog.c b/src/lib/libast/path/pathprog.c +deleted file mode 100644 +index 09a6148..0000000 +--- a/src/lib/libast/path/pathprog.c ++++ /dev/null +@@ -1,124 +0,0 @@ +-/*********************************************************************** +-* * +-* This software is part of the ast package * +-* Copyright (c) 1985-2012 AT&T Intellectual Property * +-* Copyright (c) 2020-2023 Contributors to ksh 93u+m * +-* and is licensed under the * +-* Eclipse Public License, Version 2.0 * +-* * +-* A copy of the License is available at * +-* https://www.eclipse.org/org/documents/epl-2.0/EPL-2.0.html * +-* (with md5 checksum 84283fa8859daf213bdda5a9f8d1be1d) * +-* * +-* Glenn Fowler * +-* David Korn * +-* Phong Vo * +-* Martijn Dekker * +-* * +-***********************************************************************/ +-/* +- * Glenn Fowler +- * AT&T Research +- * +- * return the full path of the current program in path +- * command!=0 is used as a default +- */ +- +-#include +- +-#if _WINIX +-#include +-#include +-#endif +- +-#include "FEATURE/prog" +- +-#if _hdr_macho_o_dyld && _lib__NSGetExecutablePath +-#include +-#else +-#undef _lib__NSGetExecutablePath +-#endif +- +-static size_t +-prog(const char* command, char* path, size_t size) +-{ +- ssize_t n; +- char* s; +-#if _WINIX +- char* t; +- char* e; +- int c; +- int q; +-#endif +-#if _lib__NSGetExecutablePath +- uint32_t z; +-#endif +- +-#ifdef _PROC_PROG +- if ((n = readlink(_PROC_PROG, path, size)) > 0 && *path == '/') +- { +- if (n < size) +- path[n] = 0; +- return n; +- } +-#endif +-#if _lib_getexecname +- if ((s = (char*)getexecname()) && *s == '/') +- goto found; +-#endif +-#if _lib__NSGetExecutablePath +- z = size; +- if (!_NSGetExecutablePath(path, &z) && *path == '/') +- return strlen(path); +-#endif +-#if _WINIX +- if (s = GetCommandLine()) +- { +- n = 0; +- q = 0; +- t = path; +- e = path + size - 1; +- while (c = *s++) +- { +- if (c == q) +- q = 0; +- else if (!q && c == '"') +- q = c; +- else if (!q && isspace(c)) +- break; +- else if (t < e) +- *t++ = c == '\\' ? '/' : c; +- else +- n++; +- } +- if (t < e) +- *t = 0; +- return (t - path) + n; +- } +-#endif +- if (command) +- { +- s = (char*)command; +- goto found; +- } +- return 0; +- found: +- n = strlen(s); +- if (n < size) +- memcpy(path, s, n + 1); +- return n; +-} +- +-size_t +-pathprog(const char* command, char* path, size_t size) +-{ +- char* rel; +- ssize_t n; +- +- if ((n = prog(command, path, size)) > 0 && n < size && *path != '/' && (rel = strdup(path))) +- { +- n = pathpath(rel, NULL, PATH_REGULAR|PATH_EXECUTE, path, size) ? strlen(path) : 0; +- free(rel); +- } +- return n; +-} +diff --git a/src/lib/libast/path/pathshell.c b/src/lib/libast/path/pathshell.c +deleted file mode 100644 +index 7537c53..0000000 +--- a/src/lib/libast/path/pathshell.c ++++ /dev/null +@@ -1,115 +0,0 @@ +-/*********************************************************************** +-* * +-* This software is part of the ast package * +-* Copyright (c) 1985-2011 AT&T Intellectual Property * +-* Copyright (c) 2020-2023 Contributors to ksh 93u+m * +-* and is licensed under the * +-* Eclipse Public License, Version 2.0 * +-* * +-* A copy of the License is available at * +-* https://www.eclipse.org/org/documents/epl-2.0/EPL-2.0.html * +-* (with md5 checksum 84283fa8859daf213bdda5a9f8d1be1d) * +-* * +-* Glenn Fowler * +-* David Korn * +-* Phong Vo * +-* Martijn Dekker * +-* Johnothan King * +-* * +-***********************************************************************/ +-/* +- * G. S. Fowler +- * D. G. Korn +- * AT&T Bell Laboratories +- * +- * shell library support +- */ +- +-#include +-#include +- +-/* +- * return pointer to the full path name of the shell +- * +- * SHELL is read from the environment and must start with / +- * +- * if setuid or setgid then the executable and its containing +- * directory must not be owned by the real user/group +- * +- * root/administrator has its own test +- * +- * astconf("SH",NULL,NULL) is returned by default +- * +- * NOTE: csh is rejected because the bsh/csh differentiation is +- * not done for `csh script arg ...' +- */ +- +-#ifdef _WINIX +-# define EXE "?(.exe)" +-#else +-# define EXE +-#endif +- +-char* +-pathshell(void) +-{ +- char* sh; +- int ru; +- int eu; +- int rg; +- int eg; +- struct stat st; +- +- static char* val; +- +- if ((sh = getenv("SHELL")) && *sh == '/' && strmatch(sh, "*/(sh|*[!cC]sh)*([[:digit:]])?(-+([.[:alnum:]]))" EXE)) +- { +- if (!(ru = getuid()) || !eaccess("/bin", W_OK)) +- { +- if (stat(sh, &st)) +- goto defshell; +- if (ru != st.st_uid && !strmatch(sh, "?(/usr)?(/local)/?([ls])bin/?([[:lower:]])sh" EXE)) +- goto defshell; +- } +- else +- { +- eu = geteuid(); +- rg = getgid(); +- eg = getegid(); +- if (ru != eu || rg != eg) +- { +- char* s; +- char dir[PATH_MAX]; +- +- s = sh; +- for (;;) +- { +- if (stat(s, &st)) +- goto defshell; +- if (ru != eu && st.st_uid == ru) +- goto defshell; +- if (rg != eg && st.st_gid == rg) +- goto defshell; +- if (s != sh) +- break; +- if (strlen(s) >= sizeof(dir)) +- goto defshell; +- strcpy(dir, s); +- if (!(s = strrchr(dir, '/'))) +- break; +- *s = 0; +- s = dir; +- } +- } +- } +- return sh; +- } +- defshell: +- if (!(sh = val)) +- { +- if (!*(sh = astconf("SH", NULL, NULL)) || *sh != '/' || eaccess(sh, X_OK) || !(sh = strdup(sh))) +- sh = "/bin/sh"; +- val = sh; +- } +- return sh; +-} +-- +2.50.1 + diff --git a/ksh.spec b/ksh.spec index 408b822..fb3e6e0 100644 --- a/ksh.spec +++ b/ksh.spec @@ -4,7 +4,7 @@ URL: http://www.kornshell.com/ License: EPL-1.0 Epoch: 3 Version: 1.0.6 -Release: 13%{?dist} +Release: 14%{?dist} Source0: https://github.com/ksh93/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz Source1: kshcomp.conf Source2: kshrc.rhs @@ -57,6 +57,9 @@ Patch13: ksh-1.0.10-blankline.patch # upstream commit: https://github.com/ksh93/ksh/commit/bc56018765163a8059600f5205e9e2b1f4059873 Patch14: ksh-1.0.10-sigpipe.patch +# https://github.com/ksh93/ksh/commit/970812e39c236ff385e440ac6d458d196c237667 +Patch15: ksh-1.0.12-security.patch + Conflicts: pdksh Requires: coreutils, diffutils BuildRequires: gcc @@ -178,6 +181,10 @@ fi %config(noreplace) %{_sysconfdir}/binfmt.d/kshcomp.conf %changelog +* Wed Aug 06 2025 Vincent Mihalkovic - 3:1.0.6-14 +- Fix arbitrary command execution/code injection bugs + Resolves: RHEL-99063 + * Wed Jul 09 2025 Vincent Mihalkovic - 3:1.0.6-13 - Fix SIGPIPE subshell regression Resolves: RHEL-92646