Patch vulnerability CVE-2019-14868

Certain environment variables were interpreted as arithmetic
expressions on startup, leading to code injection.

Ref.:
https://bugzilla.redhat.com/show_bug.cgi?id=1757324
c7de8b6412

(cherry picked from commit ee6b001d0611ad2e00b6da2c2b42051995c0a678)

src/cmd/ksh93/sh/arith.c

@@ -513,21 +513,36 @@ Sfdouble_t sh_strnum(register const char *str, char** ptr, int mode)
 	char base=(shp->inarith?0:10), *last;
 	if(*str==0)
 	{
-		if(ptr)
-			*ptr = (char*)str;
-		return(0);
+		d = 0.0;
+		last = (char*)str;
+	} else {
+		errno = 0;
+		d = strtonll(str,&last,&base,-1);
+		if (*last && !shp->inarith && sh_isstate(SH_INIT)) {
+			/* This call is to handle "base#value" literals if we're importing untrusted env vars. */
+			errno = 0;
+			d = strtonll(str, &last, NULL, -1);
+		}
+
+		if(*last || errno)
+		{
+			if (sh_isstate(SH_INIT)) {
+				/*
+				 * Initializing means importing untrusted env vars. The string does not appear to be
+				 * a recognized numeric literal, so give up. We can't safely call strval(), because
+				 * that allows arbitrary expressions, causing security vulnerability CVE-2019-14868.
+				 */
+				d = 0.0;
+			} else {
+				if(!last || *last!='.' || last[1]!='.')
+					d = strval(shp,str,&last,arith,mode);
+				if(!ptr && *last && mode>0)
+					errormsg(SH_DICT,ERROR_exit(1),e_lexbadchar,*last,str);
+			}
+		} else if (!d && *str=='-') {
+			d = -0.0;
+		}
 	}
-	errno = 0;
-	d = strtonll(str,&last,&base,-1);
-	if(*last || errno)
-	{
-		if(!last || *last!='.' || last[1]!='.')
-			d = strval(shp,str,&last,arith,mode);
-		if(!ptr && *last && mode>0)
-			errormsg(SH_DICT,ERROR_exit(1),e_lexbadchar,*last,str);
-	}
-	else if (!d && *str=='-')
-		d = -0.0;
 	if(ptr)
 		*ptr = last;
 	return(d);