On 2023-04-18 20:15 -0400, Thomas Dickey wrote:
> On Sat, Apr 15, 2023 at 07:27:45AM -0400, Thomas Dickey wrote:
>> On Sat, Apr 15, 2023 at 09:05:25AM +0200, Sven Joachim wrote:
>> >
>> > Security boundaries are only crossed for setuid/setgid programs here,
>> > and we probably do not have many setuid binaries linked to libtinfo in
>> > the distribution (on my system, I could not find any). So I guess you
>> > probably do not want to issue a DSA here, right?
>> >
>> > Gentoo users have noticed a few problems after upgrading to the 20230408
>> > patchlevel[1,2,3], most notably output of openrc being completely
>> > broken. While we do not have that particular problem because openrc in
>>
>> It was already broken (the "(null)" strings come from its misuse of the
>> ncurses interface, which will require fixes in OpenRC). I'm not going
>> to provide a patch for OpenRC itself - any maintainer should be able to
>> do _that_.
>>
>> Today I'll put out the fix for zero-parameter tsl, along with similar minor
>> improvements, and if nothing else surfaces, use that as the basis for the
>> security-patch.
>
> I had another fix, which works fine. Except of course for programs which
> call tparm without actually reading from the terminal database, and don't
> check error returns. I could digress...
I am happy to reveal the bugs in theses non-conforming programs after
the bookworm release, but for now this is too intrusive. We are about
to release Debian 12 within the next two months.
> ...reflecting on all of this, the low-impact change would be to use the
> --disable-root-environ configure option (possibly --disable-root-access
> as well).
The --disable-root-environ option disables _all_ use of custom terminfo
files by the superuser. This has some side effects.
- At least one package FTBFS[1] because it runs TERMINFO=… tic under
fakeroot.
- Rescue mode in the non-graphical Debian installer is broken if
ncurses-term is not installed. The installer uses an obscure terminal
emulator called bogl-bterm which sets TERM=bterm, and if that terminfo
entry is not found on the target system, it copies it to a temporary
directory and sets TERMINFO accordingly before chrooting into the
target system.
- Emacs' term.el package sets TERM=eterm-color and TERMINFO to the
directory where Emacs ships this terminfo entry. If ncurses-term is
not installed, running programs as root is broken.
- The sysadmin can no longer use private terminfo files under
/root/.terminfo and has to install those into the system database
instead, where they affect everyone. This might not always be
desired.
It is because of such issues that I had proposed a new configure option
that only restricts programs running at elevated privileges[2].
Cheers,
Sven
1. https://bugs.debian.org/1034644
2. https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00004.html
