Attached is my patch to deal with this issue. It is mostly a copy and
paste of the code from the upstream patch, except the following changes
were required (and from the original code):
* The number call has been replaced with a strtonll call.
* The sh_isstate call has been changed to take only on
I meant to include this test run:
(stretch-amd64-default)root@silverfish:/home/brian# SHLVL='2#11+x[$(/bin/echo
DANGER WILL ROBINSON >&2)0]' /usr/bin/ksh
Segmentation fault
DANGER WILL ROBINSON
As in no echo command is required.
Below is the full stack trace of the segfault (recompiled withou
Ola Lundqvist writes:
> Interesting. I wonder how I concluded that it was just arithmetic
> expressions. Do you want me to re-check it?
Yes please, might be a good idea.
> Segmentation faults can be problematic too, but it looks like we have
> some protection against this CVE already. The quest
Hi
Interesting. I wonder how I concluded that it was just arithmetic
expressions. Do you want me to re-check it?
Segmentation faults can be problematic too, but it looks like we have
some protection against this CVE already. The question is whether the
subshell is actually executed before the sigs
Ola Lundqvist writes:
> Ah one more thing. In the jessie version (I was the one marking it as
> ignored) I concluded that any arithmetic expression could be executed
> but not any expression. This means that you could run for example
> 10+4+5 (evaluated to 19) but not $(/bin/bash). I suggest chec
Hi again
Ah one more thing. In the jessie version (I was the one marking it as
ignored) I concluded that any arithmetic expression could be executed
but not any expression. This means that you could run for example
10+4+5 (evaluated to 19) but not $(/bin/bash). I suggest checking if
the stretch ve
https://en.wikipedia.org/wiki/Shellshock_%28software_bug%29 :)
- Sylvain
On 13/07/2020 10:39, Ola Lundqvist wrote:
> Hi
>
> One more note. The command will be executed as the authenticated user.
> So there is no privilege escalation.
> But this may be used in combination with some privilege esca
Hi
One more note. The command will be executed as the authenticated user.
So there is no privilege escalation.
But this may be used in combination with some privilege escalation though.
// Ola
On Mon, 13 Jul 2020 at 10:37, Ola Lundqvist wrote:
>
> Hi
>
> An attack is possible in the following c
Hi
An attack is possible in the following cases:
1) The attacker can login
2) The attacker is not supposed to execute any command, just run the
command that use ksh as interpreter.
3) The attacker can trick ksh to import environment variables from the
attacker (for example in a login shell like pr
Hi,
On 13/07/2020 00:01, Brian May wrote:
> Is dla-needed.txt for Jessie or Stretch now?
Stretch.
> ksh was removed from dla-needed.txt for Stretch and classified "minor":
>
> https://salsa.debian.org/security-tracker-team/security-tracker/commit/87322fcf
>
> Then it was added again:
>
> http
Is dla-needed.txt for Jessie or Stretch now?
ksh was removed from dla-needed.txt for Stretch and classified "minor":
https://salsa.debian.org/security-tracker-team/security-tracker/commit/87322fcf
Then it was added again:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/59
11 matches
Mail list logo
