Package: ksh
Version: 93u+20120801-1
Severity: normal
Dear Maintainer,
When the encoding as set by LANG is UTF8 and non-valid UTF-8 is passed in the
command line, ksh fails to parse it correctly and may actually leak internal
data.
The following Perl script, generates a test case and runs it with pdksh (which
generates the expected output) and ksh (which doesn't):
-------- ksh_bug.pl -----------
#!/usr/bin/perl
my $string = "'\x82'" . q|\'' ~{'|;
$| = 1;
$ENV{LANG} = 'en_US.UTF-8';
print "string: $string\n";
print "\npdksh: ";
system pdksh => -c => "printf '%s' $string";
print "\nksh: ";
system ksh => -c => "printf '%s' $string";
print "\nksh(e):";
system ksh => -c => "echo $string";
print "\n\n";
-------------------------------
The output I get on my box is:
# perl ksh_bug.pl
string: ''\'' ~{'
pdksh: ' ~{
ksh: ' ~{/dev/fd/3
ksh(e):' ~{ /dev/fd/3
-------------------------------
Notice the unexpected "/dev/fd/3" data appended into ksh's output.
I have been unable to identify which patterns actually trigger that bug.
Note that this bug may be exploitable as it is common to pass data from the
outside to commands through the shell.
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-23-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages ksh depends on:
ii libc6 2.18-3
ksh recommends no packages.
ksh suggests no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]