| Message ID | 20231009163211.94482-1-marex@denx.de |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [kirkstone] ncurses: Mitigate CVE-2023-29491 | expand |
Hi Marek, Could you please describe why you add this configuration in kirkstone branch? This CVE is already patched: https://git.openembedded.org/openembedded-core/tree/meta/recipes-core/ncurses/files/CVE-2023-29491.patch?h=kirkstone Peter -----Original Message----- From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Marek Vasut via lists.openembedded.org Sent: Monday, October 9, 2023 18:32 To: steve@sakoman.com; openembedded-core@lists.openembedded.org Cc: Marek Vasut <marex@denx.de> Subject: [OE-core] [kirkstone][PATCH] ncurses: Mitigate CVE-2023-29491 > Configure with "--disable-root-environ" to disallow loading of custom terminfo entries in setuid/setgid programs, mitigating the impact of CVE-2023-29491. > > This is taken from debian: > https://salsa.debian.org/debian/ncurses/-/commit/1c530aad772f7aeef039b8780d51cd09bd5a08ac > > Signed-off-by: Marek Vasut <marex@denx.de> > --- > meta/recipes-core/ncurses/ncurses.inc | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/meta/recipes-core/ncurses/ncurses.inc b/meta/recipes-core/ncurses/ncurses.inc > index 1abcfae1fe..7e85044bdb 100644 > --- a/meta/recipes-core/ncurses/ncurses.inc > +++ b/meta/recipes-core/ncurses/ncurses.inc > @@ -87,6 +87,7 @@ ncurses_configure() { > --enable-sigwinch \ > --enable-pc-files \ > --disable-rpath-hack \ > + --disable-root-environ \ > ${EXCONFIG_ARGS} \ > --with-manpage-format=normal \ > --without-manpage-renames \ > -- > 2.40.1
On 10/9/23 18:47, Marko, Peter wrote: > Hi Marek, > > Could you please describe why you add this configuration in kirkstone branch? > This CVE is already patched: > https://git.openembedded.org/openembedded-core/tree/meta/recipes-core/ncurses/files/CVE-2023-29491.patch?h=kirkstone > > Peter > > -----Original Message----- > From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Marek Vasut via lists.openembedded.org > Sent: Monday, October 9, 2023 18:32 > To: steve@sakoman.com; openembedded-core@lists.openembedded.org > Cc: Marek Vasut <marex@denx.de> > Subject: [OE-core] [kirkstone][PATCH] ncurses: Mitigate CVE-2023-29491 > >> Configure with "--disable-root-environ" to disallow loading of custom terminfo entries in setuid/setgid programs, mitigating the impact of CVE-2023-29491. >> >> This is taken from debian: >> https://salsa.debian.org/debian/ncurses/-/commit/1c530aad772f7aeef039b8780d51cd09bd5a08ac >> >> Signed-off-by: Marek Vasut <marex@denx.de> >> --- >> meta/recipes-core/ncurses/ncurses.inc | 1 + >> 1 file changed, 1 insertion(+) >> >> diff --git a/meta/recipes-core/ncurses/ncurses.inc b/meta/recipes-core/ncurses/ncurses.inc >> index 1abcfae1fe..7e85044bdb 100644 >> --- a/meta/recipes-core/ncurses/ncurses.inc >> +++ b/meta/recipes-core/ncurses/ncurses.inc >> @@ -87,6 +87,7 @@ ncurses_configure() { >> --enable-sigwinch \ >> --enable-pc-files \ >> --disable-rpath-hack \ >> + --disable-root-environ \ >> ${EXCONFIG_ARGS} \ >> --with-manpage-format=normal \ >> --without-manpage-renames \ See my reply to the master branch patch.
diff --git a/meta/recipes-core/ncurses/ncurses.inc b/meta/recipes-core/ncurses/ncurses.inc index 1abcfae1fe..7e85044bdb 100644 --- a/meta/recipes-core/ncurses/ncurses.inc +++ b/meta/recipes-core/ncurses/ncurses.inc @@ -87,6 +87,7 @@ ncurses_configure() { --enable-sigwinch \ --enable-pc-files \ --disable-rpath-hack \ + --disable-root-environ \ ${EXCONFIG_ARGS} \ --with-manpage-format=normal \ --without-manpage-renames \
Configure with "--disable-root-environ" to disallow loading of custom terminfo entries in setuid/setgid programs, mitigating the impact of CVE-2023-29491. This is taken from debian: https://salsa.debian.org/debian/ncurses/-/commit/1c530aad772f7aeef039b8780d51cd09bd5a08ac Signed-off-by: Marek Vasut <marex@denx.de> --- meta/recipes-core/ncurses/ncurses.inc | 1 + 1 file changed, 1 insertion(+)