Your message dated Tue, 14 Jul 2020 02:45:15 +0000 with message-id <[email protected]> and subject line Bug#767935: fixed in ksh 2020.0.0+really93u+20120801-8 has caused the Debian Bug report #767935, regarding ksh: bad parsing of command line to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 767935: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767935 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: ksh Version: 93u+20120801-1 Severity: normal Dear Maintainer, When the encoding as set by LANG is UTF8 and non-valid UTF-8 is passed in the command line, ksh fails to parse it correctly and may actually leak internal data. The following Perl script, generates a test case and runs it with pdksh (which generates the expected output) and ksh (which doesn't): -------- ksh_bug.pl ----------- #!/usr/bin/perl my $string = "'\x82'" . q|\'' ~{'|; $| = 1; $ENV{LANG} = 'en_US.UTF-8'; print "string: $string\n"; print "\npdksh: "; system pdksh => -c => "printf '%s' $string"; print "\nksh: "; system ksh => -c => "printf '%s' $string"; print "\nksh(e):"; system ksh => -c => "echo $string"; print "\n\n"; ------------------------------- The output I get on my box is: # perl ksh_bug.pl string: ''\'' ~{' pdksh: ' ~{ ksh: ' ~{/dev/fd/3 ksh(e):' ~{ /dev/fd/3 ------------------------------- Notice the unexpected "/dev/fd/3" data appended into ksh's output. I have been unable to identify which patterns actually trigger that bug. Note that this bug may be exploitable as it is common to pass data from the outside to commands through the shell. -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-23-generic (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages ksh depends on: ii libc6 2.18-3 ksh recommends no packages. ksh suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Source: ksh Source-Version: 2020.0.0+really93u+20120801-8 Done: Anuradha Weeraman <[email protected]> We believe that the bug you reported is fixed in the latest version of ksh, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Anuradha Weeraman <[email protected]> (supplier of updated ksh package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 12 Jul 2020 10:09:44 -0400 Source: ksh Architecture: source Version: 2020.0.0+really93u+20120801-8 Distribution: unstable Urgency: medium Maintainer: Anuradha Weeraman <[email protected]> Changed-By: Anuradha Weeraman <[email protected]> Closes: 767935 Changes: ksh (2020.0.0+really93u+20120801-8) unstable; urgency=medium . * Fix for segfault when a .paths directory exists in the PATH * Bug-fix on input buffer boundary of multibyte characters (Closes: #767935) * Added X-AppStream-Ignore=true to ksh.desktop Checksums-Sha1: 425ef9e0844e6e88fd79b68c4de772072baddab1 1925 ksh_2020.0.0+really93u+20120801-8.dsc a495ad3f4ba7c2892e8321d89e277443dc61c7f3 22524 ksh_2020.0.0+really93u+20120801-8.debian.tar.xz 3a2a744e850d6315aa557ba309f1cfbdfb0823b3 5812 ksh_2020.0.0+really93u+20120801-8_amd64.buildinfo Checksums-Sha256: 5a82493c4c28d1adc97b9490ca54b134cb7b6c9a3f99f503180d3bb974009aca 1925 ksh_2020.0.0+really93u+20120801-8.dsc 60eaab0d510f4eb337aae9b7e8d353fb1847d8337ce699062c6ae5df91b4caf9 22524 ksh_2020.0.0+really93u+20120801-8.debian.tar.xz 729d2f62007d712a20d5535246a96ea759192272d567b954bac1d390388a8edd 5812 ksh_2020.0.0+really93u+20120801-8_amd64.buildinfo Files: aadbc38fa60b30b58b0aaf492159e199 1925 shells optional ksh_2020.0.0+really93u+20120801-8.dsc 29d56f5d10653f1a542f7c8c8a53c41f 22524 shells optional ksh_2020.0.0+really93u+20120801-8.debian.tar.xz 11e881a04b8ed77d8fbee39361a3f7a5 5812 shells optional ksh_2020.0.0+really93u+20120801-8_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE9WuPFOAUze9dBH/BY221odkYYP0FAl8NC8YACgkQY221odkY YP0Tow//e8qSr5qxxrku3aLNZHIrRj/8BvCkj5/IoOye/GJBqorwa8Jl3iQCuGCg +Wh+1p63wiT6AhqG9CkQtQ5XPVDtggm1d9c3z0n4AFhUsgz5RLaP5i/+d2vjxbkb Q0OturDDNMfzPq1WfFotWOw4BBRbXrNlb8dk1d56FMibFjTc+ra0Agi5gv1rG2cX wb5Zu3rA/5l8SyKYF/cAWxFawcYyfyRihxUtDiHX7TYjMlurHI0lgiakLZL0MmFX 4rFBc2N9IEiHobzn7l6Tb61lJ4HrFl2gNbFdVZwBpTi2n5vuKWlErBa00cf6c+c7 Jby0NtkljQoUF2s8xc4xNVeMT+UHgPmfAPXhV+XCoP0BLxnhaNh4oKVvZ4ZQGuNm 2GIosvNu+uVvdzwiC2W6EZwz5QlA5wmrLTNZAXHy6/Ti3u6zIX6Q4yV7kf/oxdPA rqTd0UZW+1OMv3319tVNNDH1oi2AZWc0rsUcKIieO5mizCzZAVvQ1VoYE9jTKFCS AjMcjakrTyFpWFcL2krepbC0S4frdE2GCJ+KcAo1joLx2Mm/Y87I5ngcWJ7n+U7Q Cw4dx0V0sve/FsASwxqX73xVP9WuMS0ZY8tiZSWC7/EJbr4ka+sAn22z1baEakbd vs+xrPWoQNrrVywX5fw4WLopw11IJfXz6ED2cUn1dXqkh2wPF9w= =fgcl -----END PGP SIGNATURE-----
--- End Message ---
