RedHat has issued an advisory on February 17: https://access.redhat.com/errata/RHSA-2020:0515 The upstream fix is linked from the RedHat bug: https://bugzilla.redhat.com/show_bug.cgi?id=1757324 Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOOCC: (none) => smelror
Assigning (previously CC) to Stig as the active 'ksh' maintainer.
Assignee: bugsquad => smelrorCC: smelror => (none)
Fedora has issued an advisory for this on February 16: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/N4R57SLEOTTXFWOLPTVVS2AOZ35FZEJR/
Status comment: (none) => Patch available from Fedora
ksh 2020.0.0 on Cauldron has been obsoleted and pdksh has been updated to take its place.
Whiteboard: MGA7TOO => (none)Version: Cauldron => 7Source RPM: ksh-2020.0.0.338.git8d91e8a-0.2.mga8.src.rpm => ksh-2020.0.0.81.git8052490-0.1.mga7.src.rpm
(In reply to Stig-Ørjan Smelror from comment #3) > ksh 2020.0.0 on Cauldron has been obsoleted and pdksh has been updated to > take its place. That seems backwards to me. From what I gather, only ksh2020 isn't being further developed, where the master branch is a continuation of ksh93 (a shame as the only shells I've tried in which `echo hi | read a; echo $a` (https://github.com/ibara/oksh/blob/main/README.pdksh) prints out "hi" are ksh2020 and zsh; bash, ksh93, pdksh, mksh, etc all print out an empty string). pdksh is ancient and I can't even find where it exists on the Internet anymore. In fact, I don't even know where you guys get the source code; it's certainly not at the location specified in the SPEC file (perhaps it's just cached, inherited from Mandriva). The mksh FAQ says that pdksh hasn't been updated since 1999. It seems to me that if you're going to replace upstream ksh with something, it should be mksh, which (unlike pdksh) is actively developed and has been blessed by David Korn. http://www.mirbsd.org/mksh-faq.htm#kornshell
CC: (none) => zooplah
Thanks for the information. Please file a new bug with this information if you haven't already.
patch added to fix this CVE: src: - ksh-2020.0.0.81.git8052490-0.1.1.mga7
CC: (none) => mageiaStatus comment: Patch available from Fedora => (none)Assignee: smelror => qa-bugs
Advisory: ======================== Updated ksh package fixes security vulnerability: A flaw was found in the way ksh evaluates certain environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Services and applications that allow remote unauthenticated attackers to provide one of those environment variables could allow them to exploit this issue remotely (CVE-2019-14868). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14868 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/N4R57SLEOTTXFWOLPTVVS2AOZ35FZEJR/
MGA7 - 64 bit - gnome Installed and ran a basic script. My days of sophisticated KSH scripts are done since I quit coding for hp-ux. ksh is functional.
CC: (none) => brtians1Whiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 7.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Advisory committed to svn.
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0141.html
Status: NEW => RESOLVEDResolution: (none) => FIXED