From the Red Hat bug report: A flaw was found in the way ksh evaluates certain environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Services and applications that allow remote unauthenticated attackers to provide one of those environment variables could allow them to exploit this issue remotely.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=17c85a06ac2f352567348a04c4f682c950105417 commit 17c85a06ac2f352567348a04c4f682c950105417 Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2020-02-07 16:07:03 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2020-02-07 16:07:24 +0000 app-shells/ksh: add fix for CVE-2019-14868 Bug: https://bugs.gentoo.org/708618 Package-Manager: Portage-2.3.86_p1, Repoman-2.3.20_p43 Signed-off-by: Mike Gilbert <floppym@gentoo.org> app-shells/ksh/files/CVE-2019-14868.patch | 89 ++++++++++++++++++++++ ...{ksh-2020.0.0.ebuild => ksh-2020.0.0-r1.ebuild} | 3 +- 2 files changed, 91 insertions(+), 1 deletion(-)
Tree is clean.
CVE-2019-14868 (https://nvd.nist.gov/vuln/detail/CVE-2019-14868): In ksh version 20120801, a flaw was found in the way it evaluates certain environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Services and applications that allow remote unauthenticated attackers to provide one of those environment variables could allow them to exploit this issue remotely.
