Hi again Ah one more thing. In the jessie version (I was the one marking it as ignored) I concluded that any arithmetic expression could be executed but not any expression. This means that you could run for example 10+4+5 (evaluated to 19) but not $(/bin/bash). I suggest checking if the stretch version has the same conclusion. Because if that is the case, there is no point in fixing it.
// Ola On Mon, 13 Jul 2020 at 10:39, Ola Lundqvist <o...@inguza.com> wrote: > > Hi > > One more note. The command will be executed as the authenticated user. > So there is no privilege escalation. > But this may be used in combination with some privilege escalation though. > > // Ola > > On Mon, 13 Jul 2020 at 10:37, Ola Lundqvist <o...@inguza.com> wrote: > > > > Hi > > > > An attack is possible in the following cases: > > 1) The attacker can login > > 2) The attacker is not supposed to execute any command, just run the > > command that use ksh as interpreter. > > 3) The attacker can trick ksh to import environment variables from the > > attacker (for example in a login shell like provided through ssh) > > > > I'd say that this is a rather rare case, but sure fixing it is better > > than not to. > > > > Github is up now but essentially the patch do what the description of > > the vulnerability tells. It only allow integers. > > > > Best regards > > > > // Ola > > > > On Mon, 13 Jul 2020 at 09:55, Sylvain Beucler <b...@beuc.net> wrote: > > > > > > Hi, > > > > > > On 13/07/2020 00:01, Brian May wrote: > > > > Is dla-needed.txt for Jessie or Stretch now? > > > > > > Stretch. > > > > > > > ksh was removed from dla-needed.txt for Stretch and classified "minor": > > > > > > > > https://salsa.debian.org/security-tracker-team/security-tracker/commit/87322fcf > > > > > > > > Then it was added again: > > > > > > > > https://salsa.debian.org/security-tracker-team/security-tracker/commit/59a9cd9dca3afc830fea869d12baf2f3d7c21126 > > > > > > > > Should we mark it as ignored in Stretch also? Or maybe the reason (as > > > > given in the commit message when ksh was first removed) was wrong? > > > > > > > > https://salsa.debian.org/security-tracker-team/security-tracker/commit/b72cc677e719d37f5f3378d616d9cb53315db927 > > > > > > github is currently down, so I can't review the patch, but it sounds > > > like we don't know for sure the full impact of the vulnerability and > > > would be better off fixing it. > > > > > > Cheers! > > > Sylvain > > > > > > > > > -- > > --- Inguza Technology AB --- MSc in Information Technology ---- > > | o...@inguza.com o...@debian.org | > > | http://inguza.com/ Mobile: +46 (0)70-332 1551 | > > --------------------------------------------------------------- > > > > -- > --- Inguza Technology AB --- MSc in Information Technology ---- > | o...@inguza.com o...@debian.org | > | http://inguza.com/ Mobile: +46 (0)70-332 1551 | > --------------------------------------------------------------- -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
