From fe135eb62447a9fcb01ab496b432759f4ffd7bf3 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Feb 24 2020 07:58:25 +0000
Subject: import ksh-20120801-140.el7_7


---

diff --git a/SOURCES/ksh-20120801-cve-2019-14868.patch b/SOURCES/ksh-20120801-cve-2019-14868.patch
new file mode 100644
index 0000000..b0703f3
--- /dev/null
+++ b/SOURCES/ksh-20120801-cve-2019-14868.patch
@@ -0,0 +1,52 @@
+diff --git a/src/cmd/ksh93/sh/arith.c b/src/cmd/ksh93/sh/arith.c
+--- a/src/cmd/ksh93/sh/arith.c
++++ b/src/cmd/ksh93/sh/arith.c
+@@ -513,21 +513,34 @@ Sfdouble_t sh_strnum(register const char *str, char** ptr, int mode)
+ 	char base=(shp->inarith?0:10), *last;
+ 	if(*str==0)
+ 	{
+-		if(ptr)
+-			*ptr = (char*)str;
+-		return(0);
+-	}
+-	errno = 0;
+-	d = strtonll(str,&last,&base,-1);
+-	if(*last || errno)
+-	{
+-		if(!last || *last!='.' || last[1]!='.')
+-			d = strval(shp,str,&last,arith,mode);
+-		if(!ptr && *last && mode>0)
+-			errormsg(SH_DICT,ERROR_exit(1),e_lexbadchar,*last,str);
++		d = 0.0;
++		last = (char*)str;
++	} else {
++		errno = 0;
++		d = strtonll(str,&last,&base,-1);
++		if (*last && !shp->inarith && sh_isstate(SH_INIT)) {
++			// This call is to handle "base#value" literals if we're importing untrusted env vars.
++			errno = 0;
++			d = strtonll(str, &last, NULL, -1);
++		}
++
++		if(*last || errno)
++		{
++			if (sh_isstate(SH_INIT)) {
++				// Initializing means importing untrusted env vars. Since the string does not appear
++				// to be a recognized numeric literal give up. We can't safely call strval() since
++				// that allows arbitrary expressions which would create a security vulnerability.
++				d = 0.0;
++			} else {
++				if(!last || *last!='.' || last[1]!='.')
++					d = strval(shp,str,&last,arith,mode);
++				if(!ptr && *last && mode>0)
++					errormsg(SH_DICT,ERROR_exit(1),e_lexbadchar,*last,str);
++			}
++		} else if (!d && *str=='-') {
++			d = -0.0;
++		}
+ 	}
+-	else if (!d && *str=='-')
+-		d = -0.0;
+ 	if(ptr)
+ 		*ptr = last;
+ 	return(d);
diff --git a/SPECS/ksh.spec b/SPECS/ksh.spec
index e328571..0b03a7f 100644
--- a/SPECS/ksh.spec
+++ b/SPECS/ksh.spec
@@ -8,7 +8,7 @@ Group:        System Environment/Shells
 #CPL everywhere else (for KSH itself)
 License:      EPL
 Version:      20120801
-Release:      139%{?dist}
+Release:      140%{?dist}
 Source0:      http://www.research.att.com/~gsf/download/tgz/ast-ksh.%{releasedate}.tgz
 Source1:      http://www.research.att.com/~gsf/download/tgz/INIT.%{releasedate}.tgz
 Source2:      kshcomp.conf
@@ -192,6 +192,9 @@ Patch78: ksh-20120801-validate-fd.patch
 # rhbz#1546749
 Patch79: ksh-20120801-nv_open-memcmp.patch
 
+# rhbz#1790544
+Patch80: ksh-20120801-cve-2019-14868.patch
+
 BuildRoot:    %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Conflicts:    pdksh
 Requires: coreutils, diffutils, chkconfig
@@ -270,6 +273,7 @@ with "sh" (the Bourne Shell).
 %patch77 -p1 -b .signal-bubbling
 %patch78 -p1 -b .validate-fd
 %patch79 -p1 -b .nv_open-memcmp
+%patch80 -p1 -b .cve-2019-14868
 
 #/dev/fd test does not work because of mock
 sed -i 's|ls /dev/fd|ls /proc/self/fd|' src/cmd/ksh93/features/options
@@ -395,6 +399,10 @@ fi
     rm -rf $RPM_BUILD_ROOT
 
 %changelog
+* Tue Jan 28 2020 Siteshwar Vashisht <svashisht@redhat.com> - 20120801-140
+- Do not evaluate arithmetic expressions from environment variables at startup
+  Resolves: #1790543
+
 * Mon May 28 2018 Siteshwar Vashisht <svashisht@redhat.com> - 20120801-139
 - Fix a crash caused by memcmp()
   Resolves: #1546749