| Summary: | ksh new security issue CVE-2019-14868 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | andrewsfarm, brtians1, davidwhodgins, mageia, sysadmin-bugs, zooplah |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | ksh-2020.0.0.81.git8052490-0.1.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2020-02-18 15:40:38 CET
David Walser
2020-02-18 15:40:51 CET
Whiteboard:
(none) =>
MGA7TOO Assigning (previously CC) to Stig as the active 'ksh' maintainer. Assignee:
bugsquad =>
smelror Fedora has issued an advisory for this on February 16: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/N4R57SLEOTTXFWOLPTVVS2AOZ35FZEJR/
David Walser
2020-02-21 17:52:13 CET
Status comment:
(none) =>
Patch available from Fedora ksh 2020.0.0 on Cauldron has been obsoleted and pdksh has been updated to take its place.
Stig-Ørjan Smelror
2020-02-24 19:33:52 CET
Whiteboard:
MGA7TOO =>
(none) (In reply to Stig-Ørjan Smelror from comment #3) > ksh 2020.0.0 on Cauldron has been obsoleted and pdksh has been updated to > take its place. That seems backwards to me. From what I gather, only ksh2020 isn't being further developed, where the master branch is a continuation of ksh93 (a shame as the only shells I've tried in which `echo hi | read a; echo $a` (https://github.com/ibara/oksh/blob/main/README.pdksh) prints out "hi" are ksh2020 and zsh; bash, ksh93, pdksh, mksh, etc all print out an empty string). pdksh is ancient and I can't even find where it exists on the Internet anymore. In fact, I don't even know where you guys get the source code; it's certainly not at the location specified in the SPEC file (perhaps it's just cached, inherited from Mandriva). The mksh FAQ says that pdksh hasn't been updated since 1999. It seems to me that if you're going to replace upstream ksh with something, it should be mksh, which (unlike pdksh) is actively developed and has been blessed by David Korn. http://www.mirbsd.org/mksh-faq.htm#kornshell CC:
(none) =>
zooplah Thanks for the information. Please file a new bug with this information if you haven't already. patch added to fix this CVE:
src:
- ksh-2020.0.0.81.git8052490-0.1.1.mga7CC:
(none) =>
mageia Advisory: ======================== Updated ksh package fixes security vulnerability: A flaw was found in the way ksh evaluates certain environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Services and applications that allow remote unauthenticated attackers to provide one of those environment variables could allow them to exploit this issue remotely (CVE-2019-14868). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14868 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/N4R57SLEOTTXFWOLPTVVS2AOZ35FZEJR/ MGA7 - 64 bit - gnome Installed and ran a basic script. My days of sophisticated KSH scripts are done since I quit coding for hp-ux. ksh is functional. CC:
(none) =>
brtians1 Validating. Advisory in Comment 7. Keywords:
(none) =>
validated_update Advisory committed to svn. Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0141.html Status:
NEW =>
RESOLVED |