FS#78578 : [ncurses] CVE-2023-29491

FS#78578 - [ncurses] CVE-2023-29491

Attached to Project: Arch Linux
Opened by T.J. Townsend (blakkheim) - Tuesday, 23 May 2023, 14:34 GMT
Last edited by T.J. Townsend (blakkheim) - Saturday, 03 June 2023, 17:04 GMT

Task Type	Bug Report
Category	Packages: Core
Status	Closed
Assigned To	David Runge (dvzrv)
Architecture	All
Severity	Low
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

Description:
The ncurses package is currently vulnerable to CVE-2023-29491.

Due to the strange/closed nature of ncurses' development, there is no one single commit to backport to the current release. The two choices are as follows:

Backport this huge commit with unrelated changes:

https://github.com/ThomasDickey/ncurses-snapshots/commit/a6d3f92bb5bba1a71c7c3df39497abbe5fe999ff

Or, what I propose, simply add "--disable-root-environ" to the configure arguments. (diff attached)

Debian's security tracker says: "6.4-3 upload configures with '--disable-root-environ' to disallow loading of custom terminfo entries in setuid/setgid programs, mitigating the impact of the vulnerability."

ncurses.diff (0.4 KiB)

This task depends upon

Closed by T.J. Townsend (blakkheim)
Saturday, 03 June 2023, 17:04 GMT
Reason for closing: Fixed

Comment by loqs (loqs) - Tuesday, 23 May 2023, 15:10 GMT

Debian converted --disable-root-environ to be functionally equivalent to --disable-setuid-environ [1][2] which was not available in the release Debian was back porting to. Adding --disable-root-environ without the Debian patch is a more restrictive approach than Debian chose. The configure script also needs a patch to fix the reversal of --disable-root-access and --disable-root-environ [3].
A third option and this appears to be the only one not requiring using patches is to use --disable-setuid-environ.

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034372#34
[2] https://sources.debian.org/src/ncurses/6.4-4/debian/patches/debian-env-access.diff/
[3] https://sources.debian.org/src/ncurses/6.4-4/debian/patches/fix-configure-root-args-option.diff/

Comment by David Runge (dvzrv) - Tuesday, 23 May 2023, 17:13 GMT

Thanks, will look into it!

Comment by David Runge (dvzrv) - Tuesday, 23 May 2023, 17:19 GMT

Please check whether 6.4-2 in [core-testing] fixes this issue.

Comment by David Runge (dvzrv) - Tuesday, 23 May 2023, 18:41 GMT

I just noticed that `--disable-setuid-environ` only becomes available with the patch level and I guess we either go the route of Debian to patch `--disable-root-environ` to become equivalent to (the new) `--disable-setuid-environ` or we use the patch level and the new option.

I think I'll opt for blakkheim's initial proposal (and what Debian is doing currently).

Comment by loqs (loqs) - Tuesday, 23 May 2023, 20:03 GMT

Attached is a replacement for Debian's fix-configure-root-args-option.diff but applied directly to configure as it can not be regenerated for configure.in.
After application with disable-root-access include/ncurses_cfg.h does not contain a define for USE_ROOT_ACCESS it does contain #define USE_ROOT_ENVIRON 1
Which should mean the _nc_env_access patched by debian-env-access.diff is used.

fix-configure-root-args-optio... (0.7 KiB)

Comment by David Runge (dvzrv) - Tuesday, 23 May 2023, 20:07 GMT

As all of the above proved painful at best I opted for updating to the latest patchset instead.
Please check if 6.4_20230520-1 in [core-testing] works alright.

Comment by T.J. Townsend (blakkheim) - Tuesday, 23 May 2023, 20:12 GMT

I tried a few ncurses-using programs with it and didn't notice any issues. Signed off.

Comment by loqs (loqs) - Tuesday, 23 May 2023, 20:27 GMT

With the latest patchset --disable-setuid-environ was available. I can reproduce the reported breakage [1] --disable-root-environ causes by building the Aur package fbterm [2][3]
Edit:
I missed you had all of --disable-root-access --disable-root-environ and --disable-setuid-environ set.
fbterm can build with --disable-root-environ removed with --disable-root-access and --disable-setuid-environ still set.

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034372#29
[2] https://aur.archlinux.org/packages/fbterm
[3] fbterm-1.7_5-5-x86_64-package.log

fbterm-1.7_5-5-x86_64-package... (2 KiB)

Comment by David Runge (dvzrv) - Wednesday, 24 May 2023, 19:11 GMT

It seems we run into a bunch of regressions: https://bugs.archlinux.org/task/78585 and https://bugs.archlinux.org/task/78584

I may remove the current fix from [testing] again and try the the route of ncurses 6.4 + `--disable-root-access` + `--disable-root-environ`.
What a mess.... /o\

Comment by Christian Hesse (eworm) - Friday, 26 May 2023, 15:53 GMT

I fixed tmux yesterday... That should be fine now.

Comment by T.J. Townsend (blakkheim) - Saturday, 03 June 2023, 15:04 GMT

I wasn't able to reproduce the vim bug and the reporter there hasn't responded. tmux is fixed. What's the status now?

Comment by David Runge (dvzrv) - Saturday, 03 June 2023, 16:50 GMT

@blakkheim: Thanks for looking into that! Given that there has been no further issues (AFAIK), I'm inclined to just move it now.

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#78578 - [ncurses] CVE-2023-29491

Details

Loading...