ncurses: Fix CVE-2023-29491

memory corruption when processing malformed terminfo data entries loaded by setuid/setgid programs CVE-2023-29491.patch change the --disable-root-environ configure option behavior. set --disable-root-environ in configuration options. --disable-root-environ option with a few additional changes to the code allows us to mitigate CVE-2023-29491 and avoid other issues that involve the possibility of malicious use of environment variables through setuid applications, and, therefore, it was the fix chosen in order to resolve this vulnerability. Reference: https://ubuntu.com/security/CVE-2023-29491 https://launchpad.net/ubuntu/+source/ncurses/6.2-0ubuntu2.1 (From OE-Core rev: 041433f0767ae9112f6a74a7d7c93ce9b411792c) Signed-off-by: virendra thakur <virendrak@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: virendra thakur <thakur.virendra1810@gmail.com> 2024-02-06 18:01:04 +0530
committer: Steve Sakoman <steve@sakoman.com> 2024-02-16 03:35:51 -1000
commit: fa23359034e1cf72ec09601e18ebcbc3648c3e29 (patch)
tree: f5c5a49dd453a384e461b17adb8bcd27bbf89d70 /meta
parent: eb0915c699fbe86488de172d529f073a30d05b6a (diff)
download: poky-fa23359034e1cf72ec09601e18ebcbc3648c3e29.tar.gz
2 files changed, 47 insertions, 1 deletions
diff --git a/meta/recipes-core/ncurses/files/CVE-2023-29491.patch b/meta/recipes-core/ncurses/files/CVE-2023-29491.patch
new file mode 100644
index 0000000000..0a0497723f
--- /dev/null
+++ b/meta/recipes-core/ncurses/files/CVE-2023-29491.patch
@@ -0,0 +1,45 @@
+Backport of:
+Author: Sven Joachim <svenjoac@gmx.de>
+Description: Change the --disable-root-environ configure option behavior
+ By default, the --disable-root-environ option forbids program run by
+ the superuser to load custom terminfo entries.  This patch changes
+ that to only restrict programs running with elevated privileges,
+ matching the behavior of the --disable-setuid-environ option
+ introduced in the 20230423 upstream patchlevel.
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034372#29
+Bug: https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00018.html
+Forwarded: not-needed
+Last-Update: 2023-05-01
+Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/ncurses/6.2-0ubuntu2.1/ncurses_6.2-0ubuntu2.1.debian.tar.xz]
+CVE: CVE-2023-29491
+Signed-off-by: Virendra Thakur <virendrak@kpit.com>
+---
+ ncurses/tinfo/access.c |    2 --
+ 1 file changed, 2 deletions(-)
+--- a/ncurses/tinfo/access.c
+++ b/ncurses/tinfo/access.c
+@@ -178,15 +178,16 @@ _nc_is_file_path(const char *path)
+ NCURSES_EXPORT(int)
+ _nc_env_access(void)
+ {
+    int result = TRUE;
+
+ #if HAVE_ISSETUGID
+     if (issetugid())
+-       return FALSE;
+       result = FALSE;
+ #elif HAVE_GETEUID && HAVE_GETEGID
+     if (getuid() != geteuid()
+        || getgid() != getegid())
+-       return FALSE;
+       result = FALSE;
+ #endif
+-    /* ...finally, disallow root */
+-    return (getuid() != ROOT_UID) && (geteuid() != ROOT_UID);
+    return result;
+ }
+ #endif
diff --git a/meta/recipes-core/ncurses/ncurses_6.2.bb b/meta/recipes-core/ncurses/ncurses_6.2.bb
index 451bfbcb5d..33285bcb5b 100644
--- a/meta/recipes-core/ncurses/ncurses_6.2.bb
+++ b/meta/recipes-core/ncurses/ncurses_6.2.bb
@@ -5,11 +5,12 @@ SRC_URI += "file://0001-tic-hang.patch \
           file://0003-gen-pkgconfig.in-Do-not-include-LDFLAGS-in-generated.patch \
           file://CVE-2021-39537.patch \
           file://CVE-2022-29458.patch \
+           file://CVE-2023-29491.patch \
           "
 # commit id corresponds to the revision in package version
 SRCREV = "a669013cd5e9d6434e5301348ea51baf306c93c4"
 S = "${WORKDIR}/git"
-EXTRA_OECONF += "--with-abi-version=5"
+EXTRA_OECONF += "--with-abi-version=5 --disable-root-environ"
 UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+(\+\d+)*)"
 # This is needed when using patchlevel versions like 6.1+20181013
author	virendra thakur <thakur.virendra1810@gmail.com>	2024-02-06 18:01:04 +0530
committer	Steve Sakoman <steve@sakoman.com>	2024-02-16 03:35:51 -1000
commit	fa23359034e1cf72ec09601e18ebcbc3648c3e29 (patch)
tree	f5c5a49dd453a384e461b17adb8bcd27bbf89d70 /meta
parent	eb0915c699fbe86488de172d529f073a30d05b6a (diff)
download	poky-fa23359034e1cf72ec09601e18ebcbc3648c3e29.tar.gz

diff --git a/meta/recipes-core/ncurses/files/CVE-2023-29491.patch b/meta/recipes-core/ncurses/files/CVE-2023-29491.patch new file mode 100644 index 0000000000..0a0497723f --- /dev/null +++ b/meta/recipes-core/ncurses/files/CVE-2023-29491.patch
@@ -0,0 +1,45 @@
		1	Backport of:
		2
		3	Author: Sven Joachim <svenjoac@gmx.de>
		4	Description: Change the --disable-root-environ configure option behavior
		5	By default, the --disable-root-environ option forbids program run by
		6	the superuser to load custom terminfo entries. This patch changes
		7	that to only restrict programs running with elevated privileges,
		8	matching the behavior of the --disable-setuid-environ option
		9	introduced in the 20230423 upstream patchlevel.
		10	Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034372#29
		11	Bug: https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00018.html
		12	Forwarded: not-needed
		13	Last-Update: 2023-05-01
		14
		15	Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/ncurses/6.2-0ubuntu2.1/ncurses_6.2-0ubuntu2.1.debian.tar.xz]
		16	CVE: CVE-2023-29491
		17	Signed-off-by: Virendra Thakur <virendrak@kpit.com>
		18
		19	---
		20	ncurses/tinfo/access.c \| 2 --
		21	1 file changed, 2 deletions(-)
		22
		23	--- a/ncurses/tinfo/access.c
		24	+++ b/ncurses/tinfo/access.c
		25	@@ -178,15 +178,16 @@ _nc_is_file_path(const char *path)
		26	NCURSES_EXPORT(int)
		27	_nc_env_access(void)
		28	{
		29	+ int result = TRUE;
		30	+
		31	#if HAVE_ISSETUGID
		32	if (issetugid())
		33	- return FALSE;
		34	+ result = FALSE;
		35	#elif HAVE_GETEUID && HAVE_GETEGID
		36	if (getuid() != geteuid()
		37	\|\| getgid() != getegid())
		38	- return FALSE;
		39	+ result = FALSE;
		40	#endif
		41	- /* ...finally, disallow root */
		42	- return (getuid() != ROOT_UID) && (geteuid() != ROOT_UID);
		43	+ return result;
		44	}
		45	#endif


diff --git a/meta/recipes-core/ncurses/ncurses_6.2.bb b/meta/recipes-core/ncurses/ncurses_6.2.bb index 451bfbcb5d..33285bcb5b 100644 --- a/meta/recipes-core/ncurses/ncurses_6.2.bb +++ b/meta/recipes-core/ncurses/ncurses_6.2.bb
@@ -5,11 +5,12 @@ SRC_URI += "file://0001-tic-hang.patch \
5	file://0003-gen-pkgconfig.in-Do-not-include-LDFLAGS-in-generated.patch \	5	file://0003-gen-pkgconfig.in-Do-not-include-LDFLAGS-in-generated.patch \
6	file://CVE-2021-39537.patch \	6	file://CVE-2021-39537.patch \
7	file://CVE-2022-29458.patch \	7	file://CVE-2022-29458.patch \
		8	file://CVE-2023-29491.patch \
8	"	9	"
9	# commit id corresponds to the revision in package version	10	# commit id corresponds to the revision in package version
10	SRCREV = "a669013cd5e9d6434e5301348ea51baf306c93c4"	11	SRCREV = "a669013cd5e9d6434e5301348ea51baf306c93c4"
11	S = "${WORKDIR}/git"	12	S = "${WORKDIR}/git"
12	EXTRA_OECONF += "--with-abi-version=5"	13	EXTRA_OECONF += "--with-abi-version=5 --disable-root-environ"
13	UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+(\+\d+)*)"	14	UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+(\+\d+)*)"
14		15
15	# This is needed when using patchlevel versions like 6.1+20181013	16	# This is needed when using patchlevel versions like 6.1+20181013