diff options
Diffstat (limited to 'meta/recipes-core/ncurses/files/CVE-2023-29491.patch')
-rw-r--r-- | meta/recipes-core/ncurses/files/CVE-2023-29491.patch | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/meta/recipes-core/ncurses/files/CVE-2023-29491.patch b/meta/recipes-core/ncurses/files/CVE-2023-29491.patch new file mode 100644 index 0000000000..0a0497723f --- /dev/null +++ b/meta/recipes-core/ncurses/files/CVE-2023-29491.patch | |||
@@ -0,0 +1,45 @@ | |||
1 | Backport of: | ||
2 | |||
3 | Author: Sven Joachim <svenjoac@gmx.de> | ||
4 | Description: Change the --disable-root-environ configure option behavior | ||
5 | By default, the --disable-root-environ option forbids program run by | ||
6 | the superuser to load custom terminfo entries. This patch changes | ||
7 | that to only restrict programs running with elevated privileges, | ||
8 | matching the behavior of the --disable-setuid-environ option | ||
9 | introduced in the 20230423 upstream patchlevel. | ||
10 | Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034372#29 | ||
11 | Bug: https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00018.html | ||
12 | Forwarded: not-needed | ||
13 | Last-Update: 2023-05-01 | ||
14 | |||
15 | Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/ncurses/6.2-0ubuntu2.1/ncurses_6.2-0ubuntu2.1.debian.tar.xz] | ||
16 | CVE: CVE-2023-29491 | ||
17 | Signed-off-by: Virendra Thakur <virendrak@kpit.com> | ||
18 | |||
19 | --- | ||
20 | ncurses/tinfo/access.c | 2 -- | ||
21 | 1 file changed, 2 deletions(-) | ||
22 | |||
23 | --- a/ncurses/tinfo/access.c | ||
24 | +++ b/ncurses/tinfo/access.c | ||
25 | @@ -178,15 +178,16 @@ _nc_is_file_path(const char *path) | ||
26 | NCURSES_EXPORT(int) | ||
27 | _nc_env_access(void) | ||
28 | { | ||
29 | + int result = TRUE; | ||
30 | + | ||
31 | #if HAVE_ISSETUGID | ||
32 | if (issetugid()) | ||
33 | - return FALSE; | ||
34 | + result = FALSE; | ||
35 | #elif HAVE_GETEUID && HAVE_GETEGID | ||
36 | if (getuid() != geteuid() | ||
37 | || getgid() != getegid()) | ||
38 | - return FALSE; | ||
39 | + result = FALSE; | ||
40 | #endif | ||
41 | - /* ...finally, disallow root */ | ||
42 | - return (getuid() != ROOT_UID) && (geteuid() != ROOT_UID); | ||
43 | + return result; | ||
44 | } | ||
45 | #endif | ||