Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[ GLSA 201511-01 ] MirBSD Korn Shell
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
GLSA
Advocate
Advocate


Joined: 12 May 2004
Posts: 2189

PostPosted: Mon Nov 02, 2015 5:26 pm    Post subject: [ GLSA 201511-01 ] MirBSD Korn Shell Reply with quote

Gentoo Linux Security Advisory

Title: MirBSD Korn Shell: Arbitrary code execution (GLSA 201511-01)
Severity: normal
Exploitable: local
Date: November 02, 2015
Bug(s): #524414
ID: 201511-01

Synopsis

An attacker who already had access to the environment could so
append values to parameters passed through programs.


Background

MirBSD Korn Shell is an actively developed free implementation of the
Korn Shell programming language and a successor to the Public Domain Korn
Shell.


Affected Packages

Package: app-shells/mksh
Vulnerable: < 50c
Unaffected: >= 50c
Architectures: All supported architectures


Description

Improper sanitation of environment import allows for appending of values
to passed parameters.


Impact

An attacker who already had access to the environment could so append
values to parameters passed through programs (including sudo(8) or
setuid) to shell scripts, including indirectly, after those programs
intended to sanitise the environment, e.g. invalidating the last $PATH
component.


Workaround

There is no known workaround at this time.

Resolution

All mksh users should upgrade to the latest version:
Code:
# emerge --sync
      # emerge --ask --oneshot --verbose ">=app-shells/mksh-50c"
   


References


mksh R50c released, security fix
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum