On 2023-04-18 20:15 -0400, Thomas Dickey wrote: > On Sat, Apr 15, 2023 at 07:27:45AM -0400, Thomas Dickey wrote: >> On Sat, Apr 15, 2023 at 09:05:25AM +0200, Sven Joachim wrote: >> > >> > Security boundaries are only crossed for setuid/setgid programs here, >> > and we probably do not have many setuid binaries linked to libtinfo in >> > the distribution (on my system, I could not find any). So I guess you >> > probably do not want to issue a DSA here, right? >> > >> > Gentoo users have noticed a few problems after upgrading to the 20230408 >> > patchlevel[1,2,3], most notably output of openrc being completely >> > broken. While we do not have that particular problem because openrc in >> >> It was already broken (the "(null)" strings come from its misuse of the >> ncurses interface, which will require fixes in OpenRC). I'm not going >> to provide a patch for OpenRC itself - any maintainer should be able to >> do _that_. >> >> Today I'll put out the fix for zero-parameter tsl, along with similar minor >> improvements, and if nothing else surfaces, use that as the basis for the >> security-patch. > > I had another fix, which works fine. Except of course for programs which > call tparm without actually reading from the terminal database, and don't > check error returns. I could digress...
I am happy to reveal the bugs in theses non-conforming programs after the bookworm release, but for now this is too intrusive. We are about to release Debian 12 within the next two months. > ...reflecting on all of this, the low-impact change would be to use the > --disable-root-environ configure option (possibly --disable-root-access > as well). The --disable-root-environ option disables _all_ use of custom terminfo files by the superuser. This has some side effects. - At least one package FTBFS[1] because it runs TERMINFO=… tic under fakeroot. - Rescue mode in the non-graphical Debian installer is broken if ncurses-term is not installed. The installer uses an obscure terminal emulator called bogl-bterm which sets TERM=bterm, and if that terminfo entry is not found on the target system, it copies it to a temporary directory and sets TERMINFO accordingly before chrooting into the target system. - Emacs' term.el package sets TERM=eterm-color and TERMINFO to the directory where Emacs ships this terminfo entry. If ncurses-term is not installed, running programs as root is broken. - The sysadmin can no longer use private terminfo files under /root/.terminfo and has to install those into the system database instead, where they affect everyone. This might not always be desired. It is because of such issues that I had proposed a new configure option that only restricts programs running at elevated privileges[2]. Cheers, Sven 1. https://bugs.debian.org/1034644 2. https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00004.html