Fix environment variable vulnerability CVE-2019-14868 using patch emailed to me by Siteshwar Vashisht. https://bugzilla.redhat.com/show_bug.cgi?id=1757324 Based on https://github.com/att/ast/commit/c7de8b641266bac7c77942239ac659edfee9ecd2 --- src/cmd/ksh93/sh/arith.c.orig +++ src/cmd/ksh93/sh/arith.c @@ -513,21 +513,34 @@ Sfdouble_t sh_strnum(register const char *str, char** ptr, int mode) char base=(shp->inarith?0:10), *last; if(*str==0) { - if(ptr) - *ptr = (char*)str; - return(0); - } - errno = 0; - d = strtonll(str,&last,&base,-1); - if(*last || errno) - { - if(!last || *last!='.' || last[1]!='.') - d = strval(shp,str,&last,arith,mode); - if(!ptr && *last && mode>0) - errormsg(SH_DICT,ERROR_exit(1),e_lexbadchar,*last,str); + d = 0.0; + last = (char*)str; + } else { + errno = 0; + d = strtonll(str,&last,&base,-1); + if (*last && !shp->inarith && sh_isstate(SH_INIT)) { + // This call is to handle "base#value" literals if we're importing untrusted env vars. + errno = 0; + d = strtonll(str, &last, NULL, -1); + } + + if(*last || errno) + { + if (sh_isstate(SH_INIT)) { + // Initializing means importing untrusted env vars. Since the string does not appear + // to be a recognized numeric literal give up. We can't safely call strval() since + // that allows arbitrary expressions which would create a security vulnerability. + d = 0.0; + } else { + if(!last || *last!='.' || last[1]!='.') + d = strval(shp,str,&last,arith,mode); + if(!ptr && *last && mode>0) + errormsg(SH_DICT,ERROR_exit(1),e_lexbadchar,*last,str); + } + } else if (!d && *str=='-') { + d = -0.0; + } } - else if (!d && *str=='-') - d = -0.0; if(ptr) *ptr = last; return(d);