import ksh-20120801-253.el8_1

This commit is contained in:
CentOS Sources 2020-02-20 04:49:29 -05:00 committed by Andrew Lukoshko
parent 965126b874
commit c4871f284b
2 changed files with 60 additions and 1 deletions

View File

@ -0,0 +1,52 @@
diff --git a/src/cmd/ksh93/sh/arith.c b/src/cmd/ksh93/sh/arith.c
--- a/src/cmd/ksh93/sh/arith.c
+++ b/src/cmd/ksh93/sh/arith.c
@@ -513,21 +513,34 @@ Sfdouble_t sh_strnum(register const char *str, char** ptr, int mode)
char base=(shp->inarith?0:10), *last;
if(*str==0)
{
- if(ptr)
- *ptr = (char*)str;
- return(0);
- }
- errno = 0;
- d = strtonll(str,&last,&base,-1);
- if(*last || errno)
- {
- if(!last || *last!='.' || last[1]!='.')
- d = strval(shp,str,&last,arith,mode);
- if(!ptr && *last && mode>0)
- errormsg(SH_DICT,ERROR_exit(1),e_lexbadchar,*last,str);
+ d = 0.0;
+ last = (char*)str;
+ } else {
+ errno = 0;
+ d = strtonll(str,&last,&base,-1);
+ if (*last && !shp->inarith && sh_isstate(SH_INIT)) {
+ // This call is to handle "base#value" literals if we're importing untrusted env vars.
+ errno = 0;
+ d = strtonll(str, &last, NULL, -1);
+ }
+
+ if(*last || errno)
+ {
+ if (sh_isstate(SH_INIT)) {
+ // Initializing means importing untrusted env vars. Since the string does not appear
+ // to be a recognized numeric literal give up. We can't safely call strval() since
+ // that allows arbitrary expressions which would create a security vulnerability.
+ d = 0.0;
+ } else {
+ if(!last || *last!='.' || last[1]!='.')
+ d = strval(shp,str,&last,arith,mode);
+ if(!ptr && *last && mode>0)
+ errormsg(SH_DICT,ERROR_exit(1),e_lexbadchar,*last,str);
+ }
+ } else if (!d && *str=='-') {
+ d = -0.0;
+ }
}
- else if (!d && *str=='-')
- d = -0.0;
if(ptr)
*ptr = last;
return(d);

View File

@ -6,7 +6,7 @@ Summary: The Original ATT Korn Shell
URL: http://www.kornshell.com/ URL: http://www.kornshell.com/
License: EPL License: EPL
Version: %{releasedate} Version: %{releasedate}
Release: 252%{?dist} Release: 253%{?dist}
Source0: http://www.research.att.com/~gsf/download/tgz/ast-ksh.%{release_date}.tgz Source0: http://www.research.att.com/~gsf/download/tgz/ast-ksh.%{release_date}.tgz
Source1: http://www.research.att.com/~gsf/download/tgz/INIT.%{release_date}.tgz Source1: http://www.research.att.com/~gsf/download/tgz/INIT.%{release_date}.tgz
Source2: kshcomp.conf Source2: kshcomp.conf
@ -214,6 +214,9 @@ Patch87: ksh-20120801-covsfix2.patch
# rhbz#1624125 # rhbz#1624125
Patch88: ksh-20120801-annocheck.patch Patch88: ksh-20120801-annocheck.patch
# rhbz#1790547
Patch89: ksh-20120801-cve-2019-14868.patch
Conflicts: pdksh Conflicts: pdksh
Requires: coreutils, diffutils, chkconfig Requires: coreutils, diffutils, chkconfig
BuildRequires: bison BuildRequires: bison
@ -366,6 +369,10 @@ fi
%config(noreplace) %{_sysconfdir}/binfmt.d/kshcomp.conf %config(noreplace) %{_sysconfdir}/binfmt.d/kshcomp.conf
%changelog %changelog
* Wed Jan 08 2020 Siteshwar Vashisht <svashisht@redhat.com> - 20120801-253
- Do not evaluate arithmetic expressions from environment variables at startup
Resolves: #1790546
* Tue Oct 16 2018 Siteshwar Vashisht <svashisht@redhat.com> - 20120801-252 * Tue Oct 16 2018 Siteshwar Vashisht <svashisht@redhat.com> - 20120801-252
- Use autosetup instead of setup in spec file - Use autosetup instead of setup in spec file