Debian Bug report logs -
#948989
ksh: CVE-2019-14868
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 15 Jan 2020 16:57:01 UTC
Severity: grave
Tags: security, upstream
Found in versions ksh/2020.0.0-2, ksh/93u+20120801-3.1, ksh/93u+20120801-3.4
Fixed in version ksh/2020.0.0-2.1
Done: Boyuan Yang <byang@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Anuradha Weeraman <aweeraman@gmail.com>:
Bug#948989; Package src:ksh.
(Wed, 15 Jan 2020 16:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Anuradha Weeraman <aweeraman@gmail.com>.
(Wed, 15 Jan 2020 16:57:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: ksh
Version: 2020.0.0-2
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
The following vulnerability was published for ksh.
CVE-2019-14868[0]:
|environment variables on startup are interpreted as arithmetic
|expression leading to code injection
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-14868
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14868
[1] https://github.com/att/ast/commit/c7de8b641266bac7c77942239ac659edfee9ecd2
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions ksh/93u+20120801-3.4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 15 Jan 2020 17:06:03 GMT) (full text, mbox, link).
Marked as found in versions ksh/93u+20120801-3.1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 15 Jan 2020 17:06:04 GMT) (full text, mbox, link).
Reply sent
to Boyuan Yang <byang@debian.org>:
You have taken responsibility.
(Wed, 15 Jan 2020 18:09:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 15 Jan 2020 18:09:04 GMT) (full text, mbox, link).
Message #14 received at 948989-close@bugs.debian.org (full text, mbox, reply):
Source: ksh
Source-Version: 2020.0.0-2.1
We believe that the bug you reported is fixed in the latest version of
ksh, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 948989@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Boyuan Yang <byang@debian.org> (supplier of updated ksh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 15 Jan 2020 12:17:25 -0500
Source: ksh
Architecture: source
Version: 2020.0.0-2.1
Distribution: unstable
Urgency: medium
Maintainer: Anuradha Weeraman <aweeraman@gmail.com>
Changed-By: Boyuan Yang <byang@debian.org>
Closes: 948989
Changes:
ksh (2020.0.0-2.1) unstable; urgency=medium
.
* Non-maintainer upload.
* debian/patches/0008: Cherry-pick upstream security fix.
(CVE-2019-14868, Closes: #948989)
Checksums-Sha1:
8d14d8669e16618adec9844f0cf0edc9f27722aa 1927 ksh_2020.0.0-2.1.dsc
ada13f01ca66f5a0564bf74d9902774f8ef72dd9 19208 ksh_2020.0.0-2.1.debian.tar.xz
c4f49592b9753c156d07018c5b8951b84c5b57e9 7094 ksh_2020.0.0-2.1_amd64.buildinfo
Checksums-Sha256:
fc4e8cd60a4a8a0d85f4900a6b69b3dafebb5dcc13b347dfb877c89a2d7ecaff 1927 ksh_2020.0.0-2.1.dsc
0bff767a252da25c597d94d2063d3372e3098f88c6aa87a15d550097aedf2cd1 19208 ksh_2020.0.0-2.1.debian.tar.xz
40713f4a2f8a7ac64bd193acadb4d028ede37f70565796ff85ca6b7635666d70 7094 ksh_2020.0.0-2.1_amd64.buildinfo
Files:
c674fa594b566cb81288fc16146e2ebc 1927 shells optional ksh_2020.0.0-2.1.dsc
4a0eeebfaebd47b3456fbc4fe344f098 19208 shells optional ksh_2020.0.0-2.1.debian.tar.xz
be04edba67021111b5cb84b1ffefee01 7094 shells optional ksh_2020.0.0-2.1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfncpR22H1vEdkazLwpPntGGCWs4FAl4fTOYACgkQwpPntGGC
Ws63UQ/+MT8kSoAX65LTkaRUw8tWgeo3O2wiFmRiYvzKXsLllQ/fZp6wNQb3oIlI
/ujNpaOJTgn4RFOtaPVg90TUnsS7wkLBYWWp9feVTzOg6wZDSZprED9r7zkFQPzm
xZdAlk7lz49ndnPG6oLvBbxtBIUN96k+H74W1KlPxYCHDs/qdTdBjUXps7KkYdn5
YKsadaiRFGQ1rdpun1tohfppxj1RCVoElolO499H0k797+XHHq+10ABSAUyBSWaX
GzflV9Sk7qtz3cpcNoWjXEIHRX73Z3GJ0Ksr4fPZrgGVmz7KY6AlFZrwbHbVc4BX
t+jzOr0I81QZVaXZSjXo88C2TgS7PojT7E8s/QUNsBTg2gpFNtV00CECwsH2JZyr
2w2BXVVeF89MVT53L31yyW332+IIrP68MrPm29ALtMel9cv9BRcFvQPPay9lJghe
g9OWUVD3VO58vCLDJfBl+ll7wbWR8+s9pDF6BozMAzCrFoNJQ61MDMCnrkPvH4Jd
VdHrGHyTHsq1V9+lJdk/pAtE16C6mqnF7aRYo4UbeTlOXCja8n4RnrGGLflr/O5K
BP757dLsmSFfaLOivK6Z/YTCiog9cFWq0ZKXDeEED8RcsZs0YuCeOjX9ZvIDlzsP
LaycYtoX0UWS27GEP1zf1pdjFBKKGOj0jir5ggkZLwKH8a/k4A8=
=yNch
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Jan 24 07:28:31 2020;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon