subject:"Bug#1035351\: \[pre\-approval\] unblock\: ncurses\/6.4\-3"

Bug#1035351: [pre-approval] unblock: ncurses/6.4-3

2023-05-07 Thread Sven Joachim

Control: reopen -1
Control: tags -1 - confirmed moreinfo
Control: retitle -1 unblock: ncurses/6.4-4

On 2023-05-07 15:28 +0200, Paul Gevers wrote:

> Hi,
>
> On 01-05-2023 18:32, Sven Joachim wrote:
>> I would like to address CVE-2023-29491[1] aka bug #1034372[2] in
>> Bookworm.
>
> unblocked and aged.

Thanks, unfortunately this upload uncovered an old but hitherto hidden
bug in the build system that would lead to random build failures after
patching configure.in, see #1035621.  It is only by chance that none of
the three arches where ncurses 6.4-3 FTBFS is a release architecture.

To fix that problem I have uploaded ncurses 6.4-4, see the attached
debdiff against 6.4-3.  The good news is that the files in the binary
packages should be identical, except for changelog.Debian.gz of course.

Cheers,
   Sven

diff -Nru ncurses-6.4/debian/autoconf.sh ncurses-6.4/debian/autoconf.sh
--- ncurses-6.4/debian/autoconf.sh	1970-01-01 01:00:00.0 +0100
+++ ncurses-6.4/debian/autoconf.sh	2023-05-07 13:55:21.0 +0200
@@ -0,0 +1,5 @@
+#!/bin/sh
+set -e
+
+autoconf-dickey
+cd test && autoconf-dickey
diff -Nru ncurses-6.4/debian/changelog ncurses-6.4/debian/changelog
--- ncurses-6.4/debian/changelog	2023-05-06 17:16:54.0 +0200
+++ ncurses-6.4/debian/changelog	2023-05-07 16:33:47.0 +0200
@@ -1,3 +1,12 @@
+ncurses (6.4-4) unstable; urgency=medium
+
+  * Run autoconf-dickey in the toplevel and test/ directories rather
+than autoreconf-dickey, as the latter picks up the backup file of
+configure.in below the .pc/ directory, which is unwanted and does
+not work (Closes: #1035621).
+
+ -- Sven Joachim   Sun, 07 May 2023 16:33:47 +0200
+
 ncurses (6.4-3) unstable; urgency=medium

   * Configure with "--disable-root-environ" to disallow loading of
diff -Nru ncurses-6.4/debian/rules ncurses-6.4/debian/rules
--- ncurses-6.4/debian/rules	2023-05-01 11:36:38.0 +0200
+++ ncurses-6.4/debian/rules	2023-05-07 13:55:21.0 +0200
@@ -211,7 +211,7 @@

 config.guess-stamp:
 	dh_update_autotools_config
-	dh_autoreconf autoreconf-dickey -- -f -i
+	dh_autoreconf debian/autoconf.sh
 	touch $@

 $(objdir)/config.status: config.guess-stamp

Bug#1035351: [pre-approval] unblock: ncurses/6.4-3

2023-05-06 Thread Sebastian Ramacher

Control: tags -1 moreinfo confirmed

On 2023-05-01 18:32:20 +0200, Sven Joachim wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> Tags: d-i
> X-Debbugs-Cc: ncur...@packages.debian.org, debian-b...@lists.debian.org
> Control: affects -1 + src:ncurses
> 
> I would like to address CVE-2023-29491[1] aka bug #1034372[2] in
> Bookworm.

Please go ahead and remove the moreinfo tag once the version is
available in unstable.

Cheers

> 
> [ Reason ]
> Various memory corruption bugs exist when loading specifically crafted
> terminfo database files.  This is a security problem in programs running
> with elevated privileges, as users are allowed to provide their own
> terminfo files under ${HOME}/.terminfo or via the TERMINFO or
> TERMINFO_DIRS environment variables.
> 
> Backporting the upstream fixes seems to be too risky this late in the
> release process, but via a configure option it is possible to prevent
> setuid/setgid programs from loading custom terminfo files supplied by
> the user, after which the bugs are no longer security relevant.
> 
> [ Impact ]
> Local users could try privilege escalations in setuid/setgid programs
> linked to the tinfo library.  How easily those can be achieved probably
> depends on the program.
> 
> [ Tests ]
> No automatic tests exist.  I have manually verified that programs can no
> longer use custom terminfo files if their effective UID or GID differs
> from the real one.  Also I have verified that the terminfo database in
> the ncurses-{base,term} packages is unchanged from 6.4-2.
> 
> [ Risks ]
> Users who are relying on their own terminfo files under
> ${HOME}/.terminfo can no longer use them in setuid/setgid programs and
> will have to work around that, e.g. by changing their TERM variable,
> using a different terminal emulator or asking their sysadmin for help.
> 
> On my systems I did not find any setuid binaries linked to the tinfo
> library, but some setgid games in the bsdgames package.
> 
> [ Checklist ]
>   [x] all changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in testing
> 
> I have slightly edited the debdiff to exclude spurious changes to the
> debian/lib{32,64}tinfo6.symbols files, as these are just symlinks to
> libtinfo6.symbols.  See devscripts bug #773762[3].
> 
> [ Other info ]
> Since ncurses produces udebs, I have CC'ed debian-boot and tagged the
> bug accordingly.  There should be no effect on the installer, as I would
> expect it to run all programs as root.
> 
> Thanks for consideration.
> 
> Cheers,
>Sven
> 
> 
> 1. https://security-tracker.debian.org/tracker/CVE-2023-29491
> 2. https://bugs.debian.org/1034372
> 3. https://bugs.debian.org/773762
> 

> diff -Nru ncurses-6.4/debian/changelog ncurses-6.4/debian/changelog
> --- ncurses-6.4/debian/changelog  2023-01-25 21:21:49.0 +0100
> +++ ncurses-6.4/debian/changelog  2023-05-01 17:57:51.0 +0200
> @@ -1,3 +1,21 @@
> +ncurses (6.4-3) unstable; urgency=medium
> +
> +  * Configure with "--disable-root-environ" to disallow loading of
> +custom terminfo entries in setuid/setgid programs, mitigating the
> +impact of CVE-2023-29491 (see #1034372).
> +- Update the symbols files for the newly exported symbol
> +  _nc_env_access.
> +- New patch fix-configure-root-args-option.diff cherry-picked from
> +  the 20230415 patchlevel, fixing a copy/paste error which caused
> +  the "--disable-root-environ" configure option to pick up code
> +  meant to be used by the "--disable-root-args" option instead.
> +- New patch debian-env-access.diff, changing the behavior of the
> +  "--disable-root-environ" configure option to not restrict programs
> +  run by the superuser, equivalent to the "--disable-setuid-environ"
> +  option introduced in the 20230423 patchlevel.
> +
> + -- Sven Joachim   Mon, 01 May 2023 17:57:51 +0200
> +
>  ncurses (6.4-2) unstable; urgency=medium
> 
>* Add Breaks against vim-common (<< 2:9.0.1000-2) to ncurses-base
> diff -Nru ncurses-6.4/debian/libtinfo5.symbols 
> ncurses-6.4/debian/libtinfo5.symbols
> --- ncurses-6.4/debian/libtinfo5.symbols  2023-01-22 17:54:52.0 
> +0100
> +++ ncurses-6.4/debian/libtinfo5.symbols  2023-05-01 11:36:38.0 
> +0200
> @@ -95,6 +95,7 @@
>   _nc_curr_col@NCURSES_TINFO_5.0.19991023 6
>   _nc_curr_line@NCURSES_TINFO_5.0.19991023 6
>   _nc_doalloc@NCURSES_TINFO_5.0.19991023 6
> + _nc_env_access@NCURSES_TINFO_5.2.20001021 6.4-3~
>   _nc_err_abort@NCURSES_TINFO_5.0.19991023 6
>   _nc_fallback@NCURSES_TINFO_5.0.19991023 6
>   _nc_find_entry@NCURSES_TINFO_5.0.19991023 6
> diff -Nru ncurses-6.4/debian/libtinfo6.symbols 
> ncurses-6.4/debian/libtinfo6.symbols
> --- ncurses-6.4/debian/libtinfo6.symbols  2023-01-22 17:54:52.0 
> +0100
> +++ ncurses-6.4/debian/libtinfo6.symbols  2023-05-01

Bug#1035351: [pre-approval] unblock: ncurses/6.4-3

2023-05-01 Thread Cyril Brulebois

Hallo Sven,

Sven Joachim  (2023-05-01):
> [ Other info ]
> Since ncurses produces udebs, I have CC'ed debian-boot and tagged the
> bug accordingly.  There should be no effect on the installer, as I
> would expect it to run all programs as root.

While I have never looked closely, that assessment seems very plausible
to me; based on this, no objections on the d-i side.


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Bug#1035351: [pre-approval] unblock: ncurses/6.4-3

2023-05-01 Thread Sven Joachim

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Tags: d-i
X-Debbugs-Cc: ncur...@packages.debian.org, debian-b...@lists.debian.org
Control: affects -1 + src:ncurses

I would like to address CVE-2023-29491[1] aka bug #1034372[2] in
Bookworm.

[ Reason ]
Various memory corruption bugs exist when loading specifically crafted
terminfo database files.  This is a security problem in programs running
with elevated privileges, as users are allowed to provide their own
terminfo files under ${HOME}/.terminfo or via the TERMINFO or
TERMINFO_DIRS environment variables.

Backporting the upstream fixes seems to be too risky this late in the
release process, but via a configure option it is possible to prevent
setuid/setgid programs from loading custom terminfo files supplied by
the user, after which the bugs are no longer security relevant.

[ Impact ]
Local users could try privilege escalations in setuid/setgid programs
linked to the tinfo library.  How easily those can be achieved probably
depends on the program.

[ Tests ]
No automatic tests exist.  I have manually verified that programs can no
longer use custom terminfo files if their effective UID or GID differs
from the real one.  Also I have verified that the terminfo database in
the ncurses-{base,term} packages is unchanged from 6.4-2.

[ Risks ]
Users who are relying on their own terminfo files under
${HOME}/.terminfo can no longer use them in setuid/setgid programs and
will have to work around that, e.g. by changing their TERM variable,
using a different terminal emulator or asking their sysadmin for help.

On my systems I did not find any setuid binaries linked to the tinfo
library, but some setgid games in the bsdgames package.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

I have slightly edited the debdiff to exclude spurious changes to the
debian/lib{32,64}tinfo6.symbols files, as these are just symlinks to
libtinfo6.symbols.  See devscripts bug #773762[3].

[ Other info ]
Since ncurses produces udebs, I have CC'ed debian-boot and tagged the
bug accordingly.  There should be no effect on the installer, as I would
expect it to run all programs as root.

Thanks for consideration.

Cheers,
   Sven


1. https://security-tracker.debian.org/tracker/CVE-2023-29491
2. https://bugs.debian.org/1034372
3. https://bugs.debian.org/773762

diff -Nru ncurses-6.4/debian/changelog ncurses-6.4/debian/changelog
--- ncurses-6.4/debian/changelog	2023-01-25 21:21:49.0 +0100
+++ ncurses-6.4/debian/changelog	2023-05-01 17:57:51.0 +0200
@@ -1,3 +1,21 @@
+ncurses (6.4-3) unstable; urgency=medium
+
+  * Configure with "--disable-root-environ" to disallow loading of
+custom terminfo entries in setuid/setgid programs, mitigating the
+impact of CVE-2023-29491 (see #1034372).
+- Update the symbols files for the newly exported symbol
+  _nc_env_access.
+- New patch fix-configure-root-args-option.diff cherry-picked from
+  the 20230415 patchlevel, fixing a copy/paste error which caused
+  the "--disable-root-environ" configure option to pick up code
+  meant to be used by the "--disable-root-args" option instead.
+- New patch debian-env-access.diff, changing the behavior of the
+  "--disable-root-environ" configure option to not restrict programs
+  run by the superuser, equivalent to the "--disable-setuid-environ"
+  option introduced in the 20230423 patchlevel.
+
+ -- Sven Joachim   Mon, 01 May 2023 17:57:51 +0200
+
 ncurses (6.4-2) unstable; urgency=medium

   * Add Breaks against vim-common (<< 2:9.0.1000-2) to ncurses-base
diff -Nru ncurses-6.4/debian/libtinfo5.symbols ncurses-6.4/debian/libtinfo5.symbols
--- ncurses-6.4/debian/libtinfo5.symbols	2023-01-22 17:54:52.0 +0100
+++ ncurses-6.4/debian/libtinfo5.symbols	2023-05-01 11:36:38.0 +0200
@@ -95,6 +95,7 @@
  _nc_curr_col@NCURSES_TINFO_5.0.19991023 6
  _nc_curr_line@NCURSES_TINFO_5.0.19991023 6
  _nc_doalloc@NCURSES_TINFO_5.0.19991023 6
+ _nc_env_access@NCURSES_TINFO_5.2.20001021 6.4-3~
  _nc_err_abort@NCURSES_TINFO_5.0.19991023 6
  _nc_fallback@NCURSES_TINFO_5.0.19991023 6
  _nc_find_entry@NCURSES_TINFO_5.0.19991023 6
diff -Nru ncurses-6.4/debian/libtinfo6.symbols ncurses-6.4/debian/libtinfo6.symbols
--- ncurses-6.4/debian/libtinfo6.symbols	2023-01-22 17:54:52.0 +0100
+++ ncurses-6.4/debian/libtinfo6.symbols	2023-05-01 11:36:38.0 +0200
@@ -94,6 +94,7 @@
  _nc_curr_col@NCURSES6_TINFO_5.0.19991023 6
  _nc_curr_line@NCURSES6_TINFO_5.0.19991023 6
  _nc_doalloc@NCURSES6_TINFO_5.0.19991023 6
+ _nc_env_access@NCURSES6_TINFO_5.2.20001021 6.4-3~
  _nc_err_abort@NCURSES6_TINFO_5.0.19991023 6
  _nc_export_termtype2@NCURSES6_TINFO_6.1.20171230 6.1
  _nc_fallback2@NCURSES6_TINFO_6.1.20171230 6.1
diff -Nru ncurses-6.4/debian/patches/debian-env-access.diff

Bug#1035351: [pre-approval] unblock: ncurses/6.4-3

Bug#1035351: [pre-approval] unblock: ncurses/6.4-3

Bug#1035351: [pre-approval] unblock: ncurses/6.4-3

Bug#1035351: [pre-approval] unblock: ncurses/6.4-3

4 matches

Site Navigation

Mail list logo

Footer information