Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 708618 (CVE-2019-14868)

Summary: app-shells/ksh: some environment variables interpreted as arithmetic expressions on startup, leading to code injection (CVE-2019-14868)
Product: Gentoo Security Reporter: Mike Gilbert <floppym>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: floppym
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also:
Whiteboard: ~2 [noglsa]
Package list:
Runtime testing required: ---

Description Mike Gilbert gentoo-dev 2020-02-07 15:56:08 UTC
From the Red Hat bug report:

A flaw was found in the way ksh evaluates certain environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Services and applications that allow remote unauthenticated attackers to provide one of those environment variables could allow them to exploit this issue remotely.
Comment 1 Larry the Git Cow gentoo-dev 2020-02-07 16:08:12 UTC
The bug has been referenced in the following commit(s):

commit 17c85a06ac2f352567348a04c4f682c950105417
Author:     Mike Gilbert <>
AuthorDate: 2020-02-07 16:07:03 +0000
Commit:     Mike Gilbert <>
CommitDate: 2020-02-07 16:07:24 +0000

    app-shells/ksh: add fix for CVE-2019-14868
    Package-Manager: Portage-2.3.86_p1, Repoman-2.3.20_p43
    Signed-off-by: Mike Gilbert <>

 app-shells/ksh/files/CVE-2019-14868.patch          | 89 ++++++++++++++++++++++
 ...{ksh-2020.0.0.ebuild => ksh-2020.0.0-r1.ebuild} |  3 +-
 2 files changed, 91 insertions(+), 1 deletion(-)
Comment 2 Sam James (sam_c) (security padawan) 2020-03-26 18:42:57 UTC
Tree is clean.