On 10/9/23 18:44, Richard Purdie wrote:
On Mon, 2023-10-09 at 18:31 +0200, Marek Vasut wrote:
Configure with "--disable-root-environ" to disallow loading of
custom terminfo entries in setuid/setgid programs, mitigating the
impact of CVE-2023-29491.
This is taken from debian:
https://salsa.debian.org/debian/ncurses/-/commit/1c530aad772f7aeef039b8780d51cd09bd5a08ac
Signed-off-by: Marek Vasut <ma...@denx.de>
---
Cc: Alexandre Belloni <alexandre.bell...@bootlin.com>
Cc: Richard Purdie <richard.pur...@linuxfoundation.org>
---
meta/recipes-core/ncurses/ncurses.inc | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-core/ncurses/ncurses.inc
b/meta/recipes-core/ncurses/ncurses.inc
index 367f3b19f4..1bc07ec2d4 100644
--- a/meta/recipes-core/ncurses/ncurses.inc
+++ b/meta/recipes-core/ncurses/ncurses.inc
@@ -87,6 +87,7 @@ ncurses_configure() {
--enable-sigwinch \
--enable-pc-files \
--disable-rpath-hack \
+ --disable-root-environ \
${EXCONFIG_ARGS} \
--with-manpage-format=normal \
--without-manpage-renames \
Should the patch add a CVE_STATUS entry as well so the cve tooling can
tell we've mitigated this?
I think I will try to backport the actual fix for this CVE from
Kirkstone first.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#188864):
https://lists.openembedded.org/g/openembedded-core/message/188864
Mute This Topic: https://lists.openembedded.org/mt/101856335/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
