Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package ksh for openSUSE:Factory checked in at 2024-08-09 16:14:57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ksh (Old) and /work/SRC/openSUSE:Factory/.ksh.new.7232 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "ksh" Fri Aug 9 16:14:57 2024 rev:117 rq:1192627 version:93vu Changes: -------- --- /work/SRC/openSUSE:Factory/ksh/ksh.changes 2024-05-14 13:40:47.903918269 +0200 +++ /work/SRC/openSUSE:Factory/.ksh.new.7232/ksh.changes 2024-08-09 16:15:31.333080895 +0200 @@ -1,0 +2,8 @@ +Thu Aug 1 14:04:27 CEST 2024 - mls@suse.de + +- fix segfault in variable substitution [bsc#1129288] + new patch: ksh93-putval.dif +- fix untrusted environment execution [bsc#1160796] [CVE-2019-14868] + new patch: ksh93-untrustedenv.dif + +------------------------------------------------------------------- New: ---- ksh93-putval.dif ksh93-untrustedenv.dif ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ksh.spec ++++++ --- /var/tmp/diff_new_pack.18NJu9/_old 2024-08-09 16:15:34.241202280 +0200 +++ /var/tmp/diff_new_pack.18NJu9/_new 2024-08-09 16:15:34.241202280 +0200 @@ -153,6 +153,8 @@ Patch55: ksh93-spawnlock.dif Patch56: ksh93-filedefined.dif Patch57: ksh93-no-sysctl.dif +Patch58: ksh93-putval.dif +Patch59: ksh93-untrustedenv.dif Patch62: ksh-locale.patch Patch63: cpp.patch @@ -265,6 +267,8 @@ %patch -P 55 %patch -P 56 %patch -P 57 +%patch -P 58 +%patch -P 59 %patch -P 63 -p 1 ++++++ ksh93-putval.dif ++++++ --- ./src/cmd/ksh93/sh/name.c.orig 2019-04-04 14:28:17.044667686 +0000 +++ ./src/cmd/ksh93/sh/name.c 2019-04-04 14:28:32.472629455 +0000 @@ -1986,8 +1986,11 @@ void nv_putval(register Namval_t *np, co up->cp = cp; if(sp) { + size_t splen = strlen(sp); int c = cp[dot+append]; - memmove(cp+append,sp,dot); + memmove(cp+append,sp,dot>splen?splen:dot); + if (dot>splen) + memset(cp+append+splen,0,dot-splen); cp[dot+append] = c; if(nv_isattr(np, NV_RJUST) && nv_isattr(np, NV_ZFILL)) rightjust(cp,size,'0'); ++++++ ksh93-untrustedenv.dif ++++++ --- src/cmd/ksh93/sh/arith.c.orig +++ src/cmd/ksh93/sh/arith.c @@ -513,21 +513,34 @@ Sfdouble_t sh_strnum(register const char *str, char** ptr, int mode) char base=(shp->inarith?0:10), *last; if(*str==0) { - if(ptr) - *ptr = (char*)str; - return(0); - } - errno = 0; - d = strtonll(str,&last,&base,-1); - if(*last || errno) - { - if(!last || *last!='.' || last[1]!='.') - d = strval(shp,str,&last,arith,mode); - if(!ptr && *last && mode>0) - errormsg(SH_DICT,ERROR_exit(1),e_lexbadchar,*last,str); + d = 0.0; + last = (char*)str; + } else { + errno = 0; + d = strtonll(str,&last,&base,-1); + if (*last && !shp->inarith && sh_isstate(SH_INIT)) { + // This call is to handle "base#value" literals if we're importing untrusted env vars. + errno = 0; + d = strtonll(str, &last, NULL, -1); + } + + if(*last || errno) + { + if (sh_isstate(SH_INIT)) { + // Initializing means importing untrusted env vars. Since the string does not appear + // to be a recognized numeric literal give up. We can't safely call strval() since + // that allows arbitrary expressions which would create a security vulnerability. + d = 0.0; + } else { + if(!last || *last!='.' || last[1]!='.') + d = strval(shp,str,&last,arith,mode); + if(!ptr && *last && mode>0) + errormsg(SH_DICT,ERROR_exit(1),e_lexbadchar,*last,str); + } + } else if (!d && *str=='-') { + d = -0.0; + } } - else if (!d && *str=='-') - d = -0.0; if(ptr) *ptr = last; return(d);