mksh version R50c fixes a security issue. Excerpt from ChangeLog [1]: ... [tg] SECURITY: do not permit += from environment ... Upstream commit is at [2] [1]: https://www.mirbsd.org/mksh.htm#clog [2]: https://github.com/MirBSD/mksh/commit/de53d2df1c3b812c262cc1bddbfe0b3bfc25c14b
Created mksh tracking bugs for this issue: Affects: fedora-all [bug 1149627]
Is this issue now worth a CVE even upstream was initially told that it is too minor? Or is this going to be just a RHBZ without CVE?
(In reply to Vasyl Kaigorodov from comment #1) > Affects: fedora-all [bug 1149627] IMHO an epel-5 tracking bug is missing, however I now used the fedora-all for EL-5 (the updates are anyway in testing since last week). And this issue should also affect RHEL 7 but not RHEL 6 if not mistaken (I don't see any reference as of writing).
(In reply to Robert Scheck from comment #2) > Is this issue now worth a CVE even upstream was initially told that it is too > minor? Or is this going to be just a RHBZ without CVE? Robert, do you have a link to the thread where upstream was told this handy? I did not check sources thoroughly, thus not sure what the possible impact here (looks Low-to-nothing for me right now). If it was some private communication - please let me know, I will post a CVE request to oss-sec, and we will see where it gets then.
(In reply to Vasyl Kaigorodov from comment #4) > Robert, do you have a link to the thread where upstream was told this handy? > I did not check sources thoroughly, thus not sure what the possible impact > here (looks Low-to-nothing for me right now). > > If it was some private communication - please let me know, I will post a CVE > request to oss-sec, and we will see where it gets then. This question results from a discussion of mine with upstream once I was told about the update. I hope I didn't get upstream wrong (if so, I am sorry), but https://www.mirbsd.org/permalinks/wlog-10_e20141003-tg.htm (which is the blog of upstream) seems to confirm my state of information in general at least. If I get the IRC backlog right the developer is unavailable today thus I can not ask for a clarification or details for the moment.
mksh-50c-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
mksh-50c-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
mksh-50c-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
mksh-50c-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
It seems this issue was only introduced via the following commit, which adds support for += syntax: https://github.com/MirBSD/mksh/commit/4345dd1fb8e3b51195d8bd260c563a697182d304 Based on the git tags, only version R40b can be affected. The version in Red Hat Enterprise Linux 6 is 39 and unaffected. There's currently no plan to backport the fix to Red Hat Enterprise Linux 7 packages.