rpms / ksh

Clone
Source Code
GIT

Blame SOURCES/ksh-20120801-cve-2019-14868.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   c8s
  2.   SOURCES
  3.   ksh-20120801-cve-2019-14868.patch
Blob History Raw
dc1902 
diff --git a/src/cmd/ksh93/sh/arith.c b/src/cmd/ksh93/sh/arith.c
dc1902 
--- a/src/cmd/ksh93/sh/arith.c
dc1902 
+++ b/src/cmd/ksh93/sh/arith.c
dc1902 
@@ -513,21 +513,34 @@ Sfdouble_t sh_strnum(register const char *str, char** ptr, int mode)
dc1902 
 	char base=(shp->inarith?0:10), *last;
dc1902 
 	if(*str==0)
dc1902 
 	{
dc1902 
-		if(ptr)
dc1902 
-			*ptr = (char*)str;
dc1902 
-		return(0);
dc1902 
-	}
dc1902 
-	errno = 0;
dc1902 
-	d = strtonll(str,&last,&base,-1);
dc1902 
-	if(*last || errno)
dc1902 
-	{
dc1902 
-		if(!last || *last!='.' || last[1]!='.')
dc1902 
-			d = strval(shp,str,&last,arith,mode);
dc1902 
-		if(!ptr && *last && mode>0)
dc1902 
-			errormsg(SH_DICT,ERROR_exit(1),e_lexbadchar,*last,str);
dc1902 
+		d = 0.0;
dc1902 
+		last = (char*)str;
dc1902 
+	} else {
dc1902 
+		errno = 0;
dc1902 
+		d = strtonll(str,&last,&base,-1);
dc1902 
+		if (*last && !shp->inarith && sh_isstate(SH_INIT)) {
dc1902 
+			// This call is to handle "base#value" literals if we're importing untrusted env vars.
dc1902 
+			errno = 0;
dc1902 
+			d = strtonll(str, &last, NULL, -1);
dc1902 
+		}
dc1902 
+
dc1902 
+		if(*last || errno)
dc1902 
+		{
dc1902 
+			if (sh_isstate(SH_INIT)) {
dc1902 
+				// Initializing means importing untrusted env vars. Since the string does not appear
dc1902 
+				// to be a recognized numeric literal give up. We can't safely call strval() since
dc1902 
+				// that allows arbitrary expressions which would create a security vulnerability.
dc1902 
+				d = 0.0;
dc1902 
+			} else {
dc1902 
+				if(!last || *last!='.' || last[1]!='.')
dc1902 
+					d = strval(shp,str,&last,arith,mode);
dc1902 
+				if(!ptr && *last && mode>0)
dc1902 
+					errormsg(SH_DICT,ERROR_exit(1),e_lexbadchar,*last,str);
dc1902 
+			}
dc1902 
+		} else if (!d && *str=='-') {
dc1902 
+			d = -0.0;
dc1902 
+		}
dc1902 
 	}
dc1902 
-	else if (!d && *str=='-')
dc1902 
-		d = -0.0;
dc1902 
 	if(ptr)
dc1902 
 		*ptr = last;
dc1902 
 	return(d);

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation