-----Original Message----- From: Marek Vasut <ma...@denx.de> Sent: Monday, October 9, 2023 21:28 To: Marko, Peter (ADV D EU SK BFS1) <peter.ma...@siemens.com>; richard.pur...@linuxfoundation.org Cc: Alexandre Belloni <alexandre.bell...@bootlin.com>; st...@sakoman.com; openembedded-core@lists.openembedded.org Subject: Re: [OE-core] [PATCH] ncurses: Mitigate CVE-2023-29491 <snip> > >>>> > >>>> Should the patch add a CVE_STATUS entry as well so the cve tooling can > >>>> tell we've mitigated this? > >>> > >>> ncurses 6.4 is not affected and not shown in CVE report, not sure why > >>> this is submitted for master. > >>> Peter > >> > >> Just wanted to make sure the configuration is consistent across all the > >> releases. > > > > I think that the commit message should be changed. > > It's misleading when it only says that it mitigates already fixed CVE. > > Will do, how does this sound: > > " > ncurses: disallow loading of custom terminfo entries in setuid/setgid > programs > > Configure with "--disable-root-environ" to disallow loading of > custom terminfo entries in setuid/setgid programs. This is related > to CVE-2023-29491, even though CVE-2023-29491 itself is fixed in > this OE release by a backport patch. > > This is taken from debian: > > https://salsa.debian.org/debian/ncurses/-/commit/1c530aad772f7aeef039b8780d51cd09bd5a08ac
Parent commit - https://salsa.debian.org/debian/ncurses/-/commit/93a383681e3da9f385536f9bc98266c5dd7e42cf > " > > ? The commit message seems to be fine now, but... ...looking at Debian, they first changed behavior of "--disable-root-environ" option via custom patch and only afterwards used it. Since Yocto is not changing the behavior of this option, it is probably a wrong thing to enable it by default. This would need a much deeper analysis imho, for all three branches where this is submitted. Peter
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#188866): https://lists.openembedded.org/g/openembedded-core/message/188866 Mute This Topic: https://lists.openembedded.org/mt/101856335/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
