| Summary: | <app-shells/mksh-50c: allows += from environment | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Lars Wendler (Polynomial-C) (RETIRED) <polynomial-c> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | hanno, patrick |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://www.mirbsd.org/mksh.htm#clog | ||
| Whiteboard: | B2 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
New GLSA request filed. @Maintainer(s): Please clean up vulnerable versions from the tree + 01 Jan 2015; Mikle Kolyada <zlogene@gentoo.org> -mksh-48b.ebuild, + -mksh-49.ebuild, -mksh-50b.ebuild, -mksh-50c.ebuild: + Security cleanup + https://www.mirbsd.org/permalinks/wlog-10_e20141003-tg.htm#e20141003-tg_wlog-10 The issue has not got a CVE identifier because it was identified as low-risk This issue was resolved and addressed in GLSA 201511-01 at https://security.gentoo.org/glsa/201511-01 by GLSA coordinator Yury German (BlueKnight). |
From the Changes section of mksh's website: R50c is a security fix release: [tg] Know more rare signals when generating sys_signame[] replacement [tg] OpenBSD sync (mostly RCSID only) [tg] Document HISTSIZE limit; found by luigi_345 on IRC [zacts] Fix link to Debian .mkshrc [tg] Cease exporting $RANDOM (Debian #760857) [tg] Fix C99 compatibility [tg] Work around klibc bug causing a coredump (Debian #763842) [tg] Use issetugid(2) as additional check if we are FPRIVILEGED [tg] SECURITY: do not permit += from environment [tg] Fix more field splitting bugs reported by Stephane Chazelas and mikeserv; document current status wrt. ambiguous ones as testcases too app-shells/mksh-50c is already in the tree.