Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 708618 (CVE-2019-14868)

Summary: app-shells/ksh: some environment variables interpreted as arithmetic expressions on startup, leading to code injection (CVE-2019-14868)
Product: Gentoo Security Reporter: Mike Gilbert <floppym>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: floppym
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/att/ast/commit/c7de8b641266bac7c77942239ac659edfee9ecd2
See Also: https://bugzilla.redhat.com/show_bug.cgi?id=1757324
Whiteboard: ~2 [noglsa cve]
Package list:
Runtime testing required: ---

Description Mike Gilbert gentoo-dev 2020-02-07 15:56:08 UTC
From the Red Hat bug report:

A flaw was found in the way ksh evaluates certain environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Services and applications that allow remote unauthenticated attackers to provide one of those environment variables could allow them to exploit this issue remotely.
Comment 1 Larry the Git Cow gentoo-dev 2020-02-07 16:08:12 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=17c85a06ac2f352567348a04c4f682c950105417

commit 17c85a06ac2f352567348a04c4f682c950105417
Author:     Mike Gilbert <floppym@gentoo.org>
AuthorDate: 2020-02-07 16:07:03 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2020-02-07 16:07:24 +0000

    app-shells/ksh: add fix for CVE-2019-14868
    
    Bug: https://bugs.gentoo.org/708618
    Package-Manager: Portage-2.3.86_p1, Repoman-2.3.20_p43
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>

 app-shells/ksh/files/CVE-2019-14868.patch          | 89 ++++++++++++++++++++++
 ...{ksh-2020.0.0.ebuild => ksh-2020.0.0-r1.ebuild} |  3 +-
 2 files changed, 91 insertions(+), 1 deletion(-)
Comment 2 Sam James gentoo-dev Security 2020-03-26 18:42:57 UTC
Tree is clean.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2020-05-02 21:44:47 UTC
CVE-2019-14868 (https://nvd.nist.gov/vuln/detail/CVE-2019-14868):
  In ksh version 20120801, a flaw was found in the way it evaluates certain
  environment variables. An attacker could use this flaw to override or bypass
  environment restrictions to execute shell commands. Services and
  applications that allow remote unauthenticated attackers to provide one of
  those environment variables could allow them to exploit this issue remotely.