[manjaro-security] [ASA-202002-4] ksh: arbitrary command execution
Morten Linderud
foxboron at archlinux.org
Wed Feb 12 22:44:30 CET 2020
Arch Linux Security Advisory ASA-202002-4
=========================================
Severity: High
Date : 2020-02-08
CVE-ID : CVE-2019-14868
Package : ksh
Type : arbitrary command execution
Remote : No
Link : https://security.archlinux.org/AVG-1095
Summary
=======
The package ksh before version 2020.0.0-2 is vulnerable to arbitrary
command execution.
Resolution
==========
Upgrade to 2020.0.0-2.
# pacman -Syu "ksh>=2020.0.0-2"
The problem has been fixed upstream but no release is available yet.
Workaround
==========
None.
Description
===========
A flaw was found in ksh version 2020.0.0 in the evaluation of certain
environment variables. An attacker could use this flaw to override or
bypass environment restrictions to execute shell commands. Services and
applications that allow remote unauthenticated attackers to provide one
of those environment variables could allow them to exploit this issue
remotely.
Impact
======
An attacker is able to execute arbitrary commands that are blacklisted
on the affected host.
References
==========
https://github.com/att/ast/commit/c7de8b641266bac7c77942239ac659edfee9ecd2
https://security.archlinux.org/CVE-2019-14868
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20200212/5cca26c9/attachment.sig>
More information about the manjaro-security
mailing list