Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 524414 - <app-shells/mksh-50c: allows += from environment
Summary: <app-shells/mksh-50c: allows += from environment
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.mirbsd.org/mksh.htm#clog
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-10-03 21:53 UTC by Lars Wendler (Polynomial-C)
Modified: 2015-11-02 16:46 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Lars Wendler (Polynomial-C) gentoo-dev 2014-10-03 21:53:26 UTC
From the Changes section of mksh's website:

R50c is a security fix release:

    [tg] Know more rare signals when generating sys_signame[] replacement
    [tg] OpenBSD sync (mostly RCSID only)
    [tg] Document HISTSIZE limit; found by luigi_345 on IRC
    [zacts] Fix link to Debian .mkshrc
    [tg] Cease exporting $RANDOM (Debian #760857)
    [tg] Fix C99 compatibility
    [tg] Work around klibc bug causing a coredump (Debian #763842)
    [tg] Use issetugid(2) as additional check if we are FPRIVILEGED
    [tg] SECURITY: do not permit += from environment
    [tg] Fix more field splitting bugs reported by Stephane Chazelas and mikeserv; document current status wrt. ambiguous ones as testcases too


app-shells/mksh-50c is already in the tree.
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-12-12 08:14:48 UTC
New GLSA request filed. 

@Maintainer(s): Please clean up vulnerable versions from the tree
Comment 2 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-01-01 10:31:39 UTC
+  01 Jan 2015; Mikle Kolyada <zlogene@gentoo.org> -mksh-48b.ebuild,
+  -mksh-49.ebuild, -mksh-50b.ebuild, -mksh-50c.ebuild:
+  Security cleanup
+
Comment 3 Manuel Rüger (RETIRED) gentoo-dev 2015-09-27 12:32:21 UTC
https://www.mirbsd.org/permalinks/wlog-10_e20141003-tg.htm#e20141003-tg_wlog-10
The issue has not got a CVE identifier because it was identified as low-risk
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2015-11-02 16:46:28 UTC
This issue was resolved and addressed in
 GLSA 201511-01 at https://security.gentoo.org/glsa/201511-01
by GLSA coordinator Yury German (BlueKnight).