<pre style='margin:0'>
Ryan Schmidt (ryandesign) pushed a commit to branch master
in repository macports-ports.
</pre>
<p><a href="https://github.com/macports/macports-ports/commit/f083f1496567cb94afd0a3c48c2fdd53537de95f">https://github.com/macports/macports-ports/commit/f083f1496567cb94afd0a3c48c2fdd53537de95f</a></p>
<pre style="white-space: pre; background: #F8F8F8">The following commit(s) were added to refs/heads/master by this push:
<span style='display:block; white-space:pre;color:#404040;'> new f083f14 ksh, ksh93: Fix CVE-2019-14868
</span>f083f14 is described below
<span style='display:block; white-space:pre;color:#808000;'>commit f083f1496567cb94afd0a3c48c2fdd53537de95f
</span>Author: Ryan Schmidt <ryandesign@macports.org>
AuthorDate: Sun Feb 23 06:25:24 2020 -0600
<span style='display:block; white-space:pre;color:#404040;'> ksh, ksh93: Fix CVE-2019-14868
</span>---
shells/ksh/Portfile | 4 +-
shells/ksh/files/ksh-2020.0.0-cve-2019-14868.patch | 80 ++++++++++++++++++++++
shells/ksh93/Portfile | 4 +-
.../ksh93/files/ksh-20120801-cve-2019-14868.patch | 56 +++++++++++++++
4 files changed, 142 insertions(+), 2 deletions(-)
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/shells/ksh/Portfile b/shells/ksh/Portfile
</span><span style='display:block; white-space:pre;color:#808080;'>index f33123a..3dbde85 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/shells/ksh/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/shells/ksh/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -20,7 +20,7 @@ depends_lib port:libiconv
</span>
if {${subport} eq ${name}} {
github.setup att ast 2020.0.0
<span style='display:block; white-space:pre;background:#ffe0e0;'>- revision 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ revision 1
</span> checksums rmd160 2ec9f2d800e69fcc32c9ebda64e331885fd335b8 \
sha256 3d6287f9ad13132bf8e57a8eac512b36a63ccce2b1e4531d7a946c5bf2375c63 \
size 1241660
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -29,6 +29,8 @@ if {${subport} eq ${name}} {
</span>
set branchtype stable
conflicts-append ${name}-devel
<span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ patchfiles-append ksh-2020.0.0-cve-2019-14868.patch
</span> }
subport ${name}-devel {
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/shells/ksh/files/ksh-2020.0.0-cve-2019-14868.patch b/shells/ksh/files/ksh-2020.0.0-cve-2019-14868.patch
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..3b35707
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/shells/ksh/files/ksh-2020.0.0-cve-2019-14868.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,80 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Fix environment variable vulnerability CVE-2019-14868
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+using patch emailed to me by Siteshwar Vashisht.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+https://bugzilla.redhat.com/show_bug.cgi?id=1757324
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+https://github.com/att/ast/commit/c7de8b641266bac7c77942239ac659edfee9ecd2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- src/cmd/ksh93/sh/arith.c.orig
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ src/cmd/ksh93/sh/arith.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -567,19 +567,32 @@ Sfdouble_t sh_strnum(Shell_t *shp, const char *str, char **ptr, int mode) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ char *last;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (*str == 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (ptr) *ptr = (char *)str;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- errno = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- d = number(str, &last, shp->inarith ? 0 : 10, NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (*last) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (*last != '.' || last[1] != '.') {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- d = strval(shp, str, &last, arith, mode);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- Varsubscript = true;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ d = 0.0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ last = (char *)str;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ d = number(str, &last, shp->inarith ? 0 : 10, NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (*last && !shp->inarith && sh_isstate(shp, SH_INIT)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ // This call is to handle "base#value" literals if we're importing untrusted env vars.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ d = number(str, &last, 0, NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (*last) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (sh_isstate(shp, SH_INIT)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ // Initializing means importing untrusted env vars. Since the string does not appear
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ // to be a recognized numeric literal give up. We can't safely call strval() since
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ // that allows arbitrary expressions which would create a security vulnerability.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ d = 0.0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (*last != '.' || last[1] != '.') {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ d = strval(shp, str, &last, arith, mode);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Varsubscript = true;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!ptr && *last && mode > 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ errormsg(SH_DICT, ERROR_exit(1), e_lexbadchar, *last, str);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else if (d == 0.0 && *str == '-') {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ d = -0.0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (!ptr && *last && mode > 0) errormsg(SH_DICT, ERROR_exit(1), e_lexbadchar, *last, str);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- } else if (!d && *str == '-') {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- d = -0.0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (ptr) *ptr = last;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return d;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- src/cmd/ksh93/tests/subshell.sh.orig
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ src/cmd/ksh93/tests/subshell.sh
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -856,3 +856,26 @@ for exp in 65535 65536
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ do got=$($SHELL -c 'x=$(printf "%.*c" '$exp' x); print ${#x}' 2>&1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ [[ $got == $exp ]] || log_error "large command substitution failed" "$exp" "$got"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ done
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# ==========
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# Verify that importing untrusted env vars does not allow evaluating arbitrary expressions but does
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# recognize all integer literals recognized by ksh.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++expect=8
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++actual=$(env SHLVL='7' $SHELL -c 'echo $SHLVL')
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++[[ $actual == $expect ]] || log_error "decimal int literal not recognized" "$expect" "$actual"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++expect=14
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++actual=$(env SHLVL='013' $SHELL -c 'echo $SHLVL')
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++[[ $actual == $expect ]] || log_error "leading zeros int literal not recognized" "$expect" "$actual"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++expect=4
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++actual=$(env SHLVL='2#11' $SHELL -c 'echo $SHLVL')
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++[[ $actual == $expect ]] || log_error "base#value int literal not recognized" "$expect" "$actual"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++expect=12
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++actual=$(env SHLVL='16#B' $SHELL -c 'echo $SHLVL')
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++[[ $actual == $expect ]] || log_error "base#value int literal not recognized" "$expect" "$actual"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++expect=1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++actual=$(env SHLVL="2#11+x[\$($bin_echo DANGER WILL ROBINSON >&2)0]" $SHELL -c 'echo $SHLVL')
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++[[ $actual == $expect ]] || log_error "expression allowed on env var import" "$expect" "$actual"
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/shells/ksh93/Portfile b/shells/ksh93/Portfile
</span><span style='display:block; white-space:pre;color:#808080;'>index 73403fc..9db8cff 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/shells/ksh93/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/shells/ksh93/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -7,7 +7,7 @@ PortGroup github 1.0
</span> epoch 1
github.setup att ast 2012-08-01
name ksh93
<span style='display:block; white-space:pre;background:#ffe0e0;'>-revision 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+revision 1
</span> conflicts ksh ksh-devel pdksh
categories shells
platforms darwin freebsd
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -33,6 +33,8 @@ checksums ast-ksh.$version.tgz \
</span>
extract.mkdir yes
<span style='display:block; white-space:pre;background:#e0ffe0;'>+patchfiles-append ksh-20120801-cve-2019-14868.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span> use_configure no
build.cmd bin/package
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/shells/ksh93/files/ksh-20120801-cve-2019-14868.patch b/shells/ksh93/files/ksh-20120801-cve-2019-14868.patch
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..84b95db
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/shells/ksh93/files/ksh-20120801-cve-2019-14868.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,56 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Fix environment variable vulnerability CVE-2019-14868
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+using patch emailed to me by Siteshwar Vashisht.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+https://bugzilla.redhat.com/show_bug.cgi?id=1757324
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Based on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+https://github.com/att/ast/commit/c7de8b641266bac7c77942239ac659edfee9ecd2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- src/cmd/ksh93/sh/arith.c.orig
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ src/cmd/ksh93/sh/arith.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -513,21 +513,34 @@ Sfdouble_t sh_strnum(register const char *str, char** ptr, int mode)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ char base=(shp->inarith?0:10), *last;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if(*str==0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if(ptr)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- *ptr = (char*)str;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- return(0);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- errno = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- d = strtonll(str,&last,&base,-1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if(*last || errno)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if(!last || *last!='.' || last[1]!='.')
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- d = strval(shp,str,&last,arith,mode);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if(!ptr && *last && mode>0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- errormsg(SH_DICT,ERROR_exit(1),e_lexbadchar,*last,str);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ d = 0.0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ last = (char*)str;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ errno = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ d = strtonll(str,&last,&base,-1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (*last && !shp->inarith && sh_isstate(SH_INIT)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ // This call is to handle "base#value" literals if we're importing untrusted env vars.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ errno = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ d = strtonll(str, &last, NULL, -1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if(*last || errno)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (sh_isstate(SH_INIT)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ // Initializing means importing untrusted env vars. Since the string does not appear
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ // to be a recognized numeric literal give up. We can't safely call strval() since
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ // that allows arbitrary expressions which would create a security vulnerability.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ d = 0.0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if(!last || *last!='.' || last[1]!='.')
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ d = strval(shp,str,&last,arith,mode);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if(!ptr && *last && mode>0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ errormsg(SH_DICT,ERROR_exit(1),e_lexbadchar,*last,str);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else if (!d && *str=='-') {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ d = -0.0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- else if (!d && *str=='-')
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- d = -0.0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if(ptr)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ *ptr = last;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return(d);
</span></pre><pre style='margin:0'>
</pre>