diff options
Diffstat (limited to 'meta/recipes-core')
-rw-r--r-- | meta/recipes-core/ncurses/files/CVE-2023-29491.patch | 45 | ||||
-rw-r--r-- | meta/recipes-core/ncurses/ncurses_6.2.bb | 3 |
2 files changed, 47 insertions, 1 deletions
diff --git a/meta/recipes-core/ncurses/files/CVE-2023-29491.patch b/meta/recipes-core/ncurses/files/CVE-2023-29491.patch new file mode 100644 index 0000000000..0a0497723f --- /dev/null +++ b/meta/recipes-core/ncurses/files/CVE-2023-29491.patch | |||
@@ -0,0 +1,45 @@ | |||
1 | Backport of: | ||
2 | |||
3 | Author: Sven Joachim <svenjoac@gmx.de> | ||
4 | Description: Change the --disable-root-environ configure option behavior | ||
5 | By default, the --disable-root-environ option forbids program run by | ||
6 | the superuser to load custom terminfo entries. This patch changes | ||
7 | that to only restrict programs running with elevated privileges, | ||
8 | matching the behavior of the --disable-setuid-environ option | ||
9 | introduced in the 20230423 upstream patchlevel. | ||
10 | Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034372#29 | ||
11 | Bug: https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00018.html | ||
12 | Forwarded: not-needed | ||
13 | Last-Update: 2023-05-01 | ||
14 | |||
15 | Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/ncurses/6.2-0ubuntu2.1/ncurses_6.2-0ubuntu2.1.debian.tar.xz] | ||
16 | CVE: CVE-2023-29491 | ||
17 | Signed-off-by: Virendra Thakur <virendrak@kpit.com> | ||
18 | |||
19 | --- | ||
20 | ncurses/tinfo/access.c | 2 -- | ||
21 | 1 file changed, 2 deletions(-) | ||
22 | |||
23 | --- a/ncurses/tinfo/access.c | ||
24 | +++ b/ncurses/tinfo/access.c | ||
25 | @@ -178,15 +178,16 @@ _nc_is_file_path(const char *path) | ||
26 | NCURSES_EXPORT(int) | ||
27 | _nc_env_access(void) | ||
28 | { | ||
29 | + int result = TRUE; | ||
30 | + | ||
31 | #if HAVE_ISSETUGID | ||
32 | if (issetugid()) | ||
33 | - return FALSE; | ||
34 | + result = FALSE; | ||
35 | #elif HAVE_GETEUID && HAVE_GETEGID | ||
36 | if (getuid() != geteuid() | ||
37 | || getgid() != getegid()) | ||
38 | - return FALSE; | ||
39 | + result = FALSE; | ||
40 | #endif | ||
41 | - /* ...finally, disallow root */ | ||
42 | - return (getuid() != ROOT_UID) && (geteuid() != ROOT_UID); | ||
43 | + return result; | ||
44 | } | ||
45 | #endif | ||
diff --git a/meta/recipes-core/ncurses/ncurses_6.2.bb b/meta/recipes-core/ncurses/ncurses_6.2.bb index 451bfbcb5d..33285bcb5b 100644 --- a/meta/recipes-core/ncurses/ncurses_6.2.bb +++ b/meta/recipes-core/ncurses/ncurses_6.2.bb | |||
@@ -5,11 +5,12 @@ SRC_URI += "file://0001-tic-hang.patch \ | |||
5 | file://0003-gen-pkgconfig.in-Do-not-include-LDFLAGS-in-generated.patch \ | 5 | file://0003-gen-pkgconfig.in-Do-not-include-LDFLAGS-in-generated.patch \ |
6 | file://CVE-2021-39537.patch \ | 6 | file://CVE-2021-39537.patch \ |
7 | file://CVE-2022-29458.patch \ | 7 | file://CVE-2022-29458.patch \ |
8 | file://CVE-2023-29491.patch \ | ||
8 | " | 9 | " |
9 | # commit id corresponds to the revision in package version | 10 | # commit id corresponds to the revision in package version |
10 | SRCREV = "a669013cd5e9d6434e5301348ea51baf306c93c4" | 11 | SRCREV = "a669013cd5e9d6434e5301348ea51baf306c93c4" |
11 | S = "${WORKDIR}/git" | 12 | S = "${WORKDIR}/git" |
12 | EXTRA_OECONF += "--with-abi-version=5" | 13 | EXTRA_OECONF += "--with-abi-version=5 --disable-root-environ" |
13 | UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+(\+\d+)*)" | 14 | UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+(\+\d+)*)" |
14 | 15 | ||
15 | # This is needed when using patchlevel versions like 6.1+20181013 | 16 | # This is needed when using patchlevel versions like 6.1+20181013 |