mirror of
git://git.code.sf.net/p/cdesktopenv/code
synced 2025-03-09 15:50:02 +00:00
Patch vulnerability CVE-2019-14868
Certain environment variables were interpreted as arithmetic
expressions on startup, leading to code injection.
Ref.:
https://bugzilla.redhat.com/show_bug.cgi?id=1757324
c7de8b6412
(cherry picked from commit ee6b001d0611ad2e00b6da2c2b42051995c0a678)
This commit is contained in:
Martijn Dekker
parent
c1dae413d2
commit
593a5a8b7f
3 changed files with 57 additions and 14 deletions
4
NEWS
4
NEWS
|
|
@ -10,6 +10,10 @@ Any uppercase BUG_* names are modernish shell bug IDs.
|
|||
'<#pattern'. The bug was caused by out-of-sync streams.
|
||||
Details and discussion: https://github.com/att/ast/issues/61
|
||||
|
||||
- Patched code injection vulerability CVE-2019-14868. As a result, you can
|
||||
no longer use expressions in imported numeric environment variables; only
|
||||
integer literals are allowed.
|
||||
|
||||
2020-05-20:
|
||||
|
||||
- Fix BUG_ISSETLOOP. Expansions like ${var+set} remained static when used
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue