On 10/9/23 19:27, Marko, Peter wrote:
-----Original Message-----
From: Marek Vasut <ma...@denx.de>
Sent: Monday, October 9, 2023 18:57
To: Marko, Peter (ADV D EU SK BFS1) <peter.ma...@siemens.com>;
richard.pur...@linuxfoundation.org
Cc: Alexandre Belloni <alexandre.bell...@bootlin.com>; st...@sakoman.com;
openembedded-core@lists.openembedded.org
Subject: Re: [OE-core] [PATCH] ncurses: Mitigate CVE-2023-29491
On 10/9/23 18:51, Marko, Peter wrote:
-----Original Message-----
From: openembedded-core@lists.openembedded.org
<openembedded-core@lists.openembedded.org> On Behalf Of Richard Purdie
via lists.openembedded.org
Sent: Monday, October 9, 2023 18:44
To: Marek Vasut <ma...@denx.de>; st...@sakoman.com;
openembedded-core@lists.openembedded.org
Cc: Alexandre Belloni <alexandre.bell...@bootlin.com>
Subject: Re: [OE-core] [PATCH] ncurses: Mitigate CVE-2023-29491
On Mon, 2023-10-09 at 18:31 +0200, Marek Vasut wrote:
Configure with "--disable-root-environ" to disallow loading of
custom terminfo entries in setuid/setgid programs, mitigating the
impact of CVE-2023-29491.
This is taken from debian:
https://salsa.debian.org/debian/ncurses/-/commit/1c530aad772f7aeef03
9b
8780d51cd09bd5a08ac
Signed-off-by: Marek Vasut <ma...@denx.de>
---
Cc: Alexandre Belloni <alexandre.bell...@bootlin.com>
Cc: Richard Purdie <richard.pur...@linuxfoundation.org>
---
meta/recipes-core/ncurses/ncurses.inc | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-core/ncurses/ncurses.inc
b/meta/recipes-core/ncurses/ncurses.inc
index 367f3b19f4..1bc07ec2d4 100644
--- a/meta/recipes-core/ncurses/ncurses.inc
+++ b/meta/recipes-core/ncurses/ncurses.inc
@@ -87,6 +87,7 @@ ncurses_configure() {
--enable-sigwinch \
--enable-pc-files \
--disable-rpath-hack \
+ --disable-root-environ \
${EXCONFIG_ARGS} \
--with-manpage-format=normal \
--without-manpage-renames \
Should the patch add a CVE_STATUS entry as well so the cve tooling can tell
we've mitigated this?
ncurses 6.4 is not affected and not shown in CVE report, not sure why this is
submitted for master.
Peter
Just wanted to make sure the configuration is consistent across all the
releases.
I think that the commit message should be changed.
It's misleading when it only says that it mitigates already fixed CVE.
Will do, how does this sound:
"
ncurses: disallow loading of custom terminfo entries in
setuid/setgid programs
Configure with "--disable-root-environ" to disallow loading of
custom terminfo entries in setuid/setgid programs. This is related
to CVE-2023-29491, even though CVE-2023-29491 itself is fixed in
this OE release by a backport patch.
This is taken from debian:
https://salsa.debian.org/debian/ncurses/-/commit/1c530aad772f7aeef039b8780d51cd09bd5a08ac
"
?
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#188863):
https://lists.openembedded.org/g/openembedded-core/message/188863
Mute This Topic: https://lists.openembedded.org/mt/101856335/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-