Accepting request 1192627 from shells

Automatic submission by obs-autosubmit OBS-URL: https://build.opensuse.org/request/show/1192627 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ksh?expand=0&rev=117
2024-08-09 14:14:57 +00:00 · 2024-08-09 14:14:57 +00:00 · 0a1ca24762
commit 0a1ca24762
parent ba7a2d99be 54ca44b456
4 changed files with 78 additions and 0 deletions
--- a/ksh.changes
+++ b/ksh.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Thu Aug  1 14:04:27 CEST 2024 - mls@suse.de
+
+- fix segfault in variable substitution [bsc#1129288]
+  new patch: ksh93-putval.dif
+- fix untrusted environment execution [bsc#1160796] [CVE-2019-14868]
+  new patch: ksh93-untrustedenv.dif
+
 -------------------------------------------------------------------
 Mon May 13 16:38:57 CEST 2024 - mls@suse.de

--- a/ksh.spec
+++ b/ksh.spec
@ -153,6 +153,8 @@ Patch54:        ksh93-edpredict.dif
 Patch55:        ksh93-spawnlock.dif
 Patch56:        ksh93-filedefined.dif
 Patch57:        ksh93-no-sysctl.dif
+Patch58:        ksh93-putval.dif
+Patch59:        ksh93-untrustedenv.dif
 Patch62:        ksh-locale.patch
 Patch63:        cpp.patch

@ -265,6 +267,8 @@ fi
 %patch -P 55
 %patch -P 56
 %patch -P 57
+%patch -P 58
+%patch -P 59

 %patch -P 63 -p 1

--- a/ksh93-putval.dif
+++ b/ksh93-putval.dif
@ -0,0 +1,15 @@
+--- ./src/cmd/ksh93/sh/name.c.orig	2019-04-04 14:28:17.044667686 +0000
+++ ./src/cmd/ksh93/sh/name.c	2019-04-04 14:28:32.472629455 +0000
+@@ -1986,8 +1986,11 @@ void nv_putval(register Namval_t *np, co
+ 		up->cp = cp;
+ 		if(sp)
+ 		{
+			size_t splen = strlen(sp);
+ 			int c = cp[dot+append];
+-			memmove(cp+append,sp,dot);
+			memmove(cp+append,sp,dot>splen?splen:dot);
+			if (dot>splen)
+				memset(cp+append+splen,0,dot-splen);
+ 			cp[dot+append] = c;
+ 			if(nv_isattr(np, NV_RJUST) && nv_isattr(np, NV_ZFILL))
+ 				rightjust(cp,size,'0');
--- a/ksh93-untrustedenv.dif
+++ b/ksh93-untrustedenv.dif
@ -0,0 +1,51 @@
+--- src/cmd/ksh93/sh/arith.c.orig
+++ src/cmd/ksh93/sh/arith.c
+@@ -513,21 +513,34 @@ Sfdouble_t sh_strnum(register const char *str, char** ptr, int mode)
+ 	char base=(shp->inarith?0:10), *last;
+ 	if(*str==0)
+ 	{
+-		if(ptr)
+-			*ptr = (char*)str;
+-		return(0);
+-	}
+-	errno = 0;
+-	d = strtonll(str,&last,&base,-1);
+-	if(*last || errno)
+-	{
+-		if(!last || *last!='.' || last[1]!='.')
+-			d = strval(shp,str,&last,arith,mode);
+-		if(!ptr && *last && mode>0)
+-			errormsg(SH_DICT,ERROR_exit(1),e_lexbadchar,*last,str);
+		d = 0.0;
+		last = (char*)str;
+	} else {
+		errno = 0;
+		d = strtonll(str,&last,&base,-1);
+		if (*last && !shp->inarith && sh_isstate(SH_INIT)) {
+			// This call is to handle "base#value" literals if we're importing untrusted env vars.
+			errno = 0;
+			d = strtonll(str, &last, NULL, -1);
+		}
+
+		if(*last || errno)
+		{
+			if (sh_isstate(SH_INIT)) {
+				// Initializing means importing untrusted env vars. Since the string does not appear
+				// to be a recognized numeric literal give up. We can't safely call strval() since
+				// that allows arbitrary expressions which would create a security vulnerability.
+				d = 0.0;
+			} else {
+				if(!last || *last!='.' || last[1]!='.')
+					d = strval(shp,str,&last,arith,mode);
+				if(!ptr && *last && mode>0)
+					errormsg(SH_DICT,ERROR_exit(1),e_lexbadchar,*last,str);
+			}
+		} else if (!d && *str=='-') {
+			d = -0.0;
+		}
+ 	}
+-	else if (!d && *str=='-')
+-		d = -0.0;
+ 	if(ptr)
+ 		*ptr = last;
+ 	return(d);