Message ID | 20240206123104.99595-1-virendrak@kpit.com |
---|---|
State | Accepted |
Delegated to: | Steve Sakoman |
Headers | show |
Series | [dunfell] ncurses: Fix CVE-2023-29491 | expand |
On Tue, Feb 6, 2024 at 2:31 AM virendra thakur <thakur.virendra1810@gmail.com> wrote: > > memory corruption when processing malformed terminfo data entries > loaded by setuid/setgid programs > > CVE-2023-29491.patch change the --disable-root-environ configure option > behavior. > set --disable-root-environ in configuration options. > > --disable-root-environ option with a few additional changes > to the code allows us to mitigate CVE-2023-29491 and avoid > other issues that involve the possibility of malicious use of > environment variables through setuid applications, and, therefore, > it was the fix chosen in order to resolve this vulnerability. > > Reference: > https://ubuntu.com/security/CVE-2023-29491 > https://launchpad.net/ubuntu/+source/ncurses/6.2-0ubuntu2.1 > > Signed-off-by: virendra thakur <virendrak@kpit.com> > --- > .../ncurses/files/CVE-2023-29491.patch | 45 +++++++++++++++++++ > meta/recipes-core/ncurses/ncurses_6.2.bb | 3 +- > 2 files changed, 47 insertions(+), 1 deletion(-) > create mode 100644 meta/recipes-core/ncurses/files/CVE-2023-29491.patch > > diff --git a/meta/recipes-core/ncurses/files/CVE-2023-29491.patch b/meta/recipes-core/ncurses/files/CVE-2023-29491.patch > new file mode 100644 > index 0000000000..0a0497723f > --- /dev/null > +++ b/meta/recipes-core/ncurses/files/CVE-2023-29491.patch > @@ -0,0 +1,45 @@ > +Backport of: > + > +Author: Sven Joachim <svenjoac@gmx.de> > +Description: Change the --disable-root-environ configure option behavior > + By default, the --disable-root-environ option forbids program run by > + the superuser to load custom terminfo entries. This patch changes > + that to only restrict programs running with elevated privileges, > + matching the behavior of the --disable-setuid-environ option > + introduced in the 20230423 upstream patchlevel. > +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034372#29 > +Bug: https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00018.html > +Forwarded: not-needed > +Last-Update: 2023-05-01 > + > +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/ncurses/6.2-0ubuntu2.1/ncurses_6.2-0ubuntu2.1.debian.tar.xz] Ubuntu launchpad is not the upstream for ncurses. Please reference the actual upstream commit in a V2. Thanks! Steve > +CVE: CVE-2023-29491 > +Signed-off-by: Virendra Thakur <virendrak@kpit.com> > + > +--- > + ncurses/tinfo/access.c | 2 -- > + 1 file changed, 2 deletions(-) > + > +--- a/ncurses/tinfo/access.c > ++++ b/ncurses/tinfo/access.c > +@@ -178,15 +178,16 @@ _nc_is_file_path(const char *path) > + NCURSES_EXPORT(int) > + _nc_env_access(void) > + { > ++ int result = TRUE; > ++ > + #if HAVE_ISSETUGID > + if (issetugid()) > +- return FALSE; > ++ result = FALSE; > + #elif HAVE_GETEUID && HAVE_GETEGID > + if (getuid() != geteuid() > + || getgid() != getegid()) > +- return FALSE; > ++ result = FALSE; > + #endif > +- /* ...finally, disallow root */ > +- return (getuid() != ROOT_UID) && (geteuid() != ROOT_UID); > ++ return result; > + } > + #endif > diff --git a/meta/recipes-core/ncurses/ncurses_6.2.bb b/meta/recipes-core/ncurses/ncurses_6.2.bb > index 451bfbcb5d..33285bcb5b 100644 > --- a/meta/recipes-core/ncurses/ncurses_6.2.bb > +++ b/meta/recipes-core/ncurses/ncurses_6.2.bb > @@ -5,11 +5,12 @@ SRC_URI += "file://0001-tic-hang.patch \ > file://0003-gen-pkgconfig.in-Do-not-include-LDFLAGS-in-generated.patch \ > file://CVE-2021-39537.patch \ > file://CVE-2022-29458.patch \ > + file://CVE-2023-29491.patch \ > " > # commit id corresponds to the revision in package version > SRCREV = "a669013cd5e9d6434e5301348ea51baf306c93c4" > S = "${WORKDIR}/git" > -EXTRA_OECONF += "--with-abi-version=5" > +EXTRA_OECONF += "--with-abi-version=5 --disable-root-environ" > UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+(\+\d+)*)" > > # This is needed when using patchlevel versions like 6.1+20181013 > -- > 2.25.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#194991): https://lists.openembedded.org/g/openembedded-core/message/194991 > Mute This Topic: https://lists.openembedded.org/mt/104196627/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
@steve@sakoman.com<mailto:steve@sakoman.com> Upstream has not yet provide fix for ncurses ncurses_6.2 . provided patch is used from debian to mitigate the CVE. [cid:e3d61df8-60e4-407e-bf27-bc022d163627]<https://outlook.office.com/bookwithme/user/fcab7d9903984b91a5841c51f49bd5ec@kpit.com?anonymous&ep=bwmEmailSignature> Book time to meet with me<https://outlook.office.com/bookwithme/user/fcab7d9903984b91a5841c51f49bd5ec@kpit.com?anonymous&ep=bwmEmailSignature> ________________________________ From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> on behalf of Steve Sakoman via lists.openembedded.org <steve=sakoman.com@lists.openembedded.org> Sent: Tuesday, February 6, 2024 7:40 PM To: virendra thakur <thakur.virendra1810@gmail.com> Cc: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org>; hongxu.jia@windriver.com <hongxu.jia@windriver.com> Subject: Re: [OE-core] [dunfell][PATCH] ncurses: Fix CVE-2023-29491 Caution: This email originated from outside of the KPIT. Do not click links or open attachments unless you recognize the sender and know the content is safe. On Tue, Feb 6, 2024 at 2:31 AM virendra thakur <thakur.virendra1810@gmail.com> wrote: > > memory corruption when processing malformed terminfo data entries > loaded by setuid/setgid programs > > CVE-2023-29491.patch change the --disable-root-environ configure option > behavior. > set --disable-root-environ in configuration options. > > --disable-root-environ option with a few additional changes > to the code allows us to mitigate CVE-2023-29491 and avoid > other issues that involve the possibility of malicious use of > environment variables through setuid applications, and, therefore, > it was the fix chosen in order to resolve this vulnerability. > > Reference: > https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fubuntu.com%2Fsecurity%2FCVE-2023-29491&data=05%7C02%7Cvirendra.thakur%40kpit.com%7Cd31a478dec7945728e6f08dc271d6bcb%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C638428255048389489%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=X4Kduuy4ZV1EIFSTgdVMetX3HZqep8sVk6R19zyWFxE%3D&reserved=0<https://ubuntu.com/security/CVE-2023-29491> > https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flaunchpad.net%2Fubuntu%2F%2Bsource%2Fncurses%2F6.2-0ubuntu2.1&data=05%7C02%7Cvirendra.thakur%40kpit.com%7Cd31a478dec7945728e6f08dc271d6bcb%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C638428255048398704%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=wddoECkArXEhY0mtgPqGPlmryJeqDWuHtWd%2B%2Btl15wk%3D&reserved=0<https://launchpad.net/ubuntu/+source/ncurses/6.2-0ubuntu2.1> > > Signed-off-by: virendra thakur <virendrak@kpit.com> > --- > .../ncurses/files/CVE-2023-29491.patch | 45 +++++++++++++++++++ > meta/recipes-core/ncurses/ncurses_6.2.bb | 3 +- > 2 files changed, 47 insertions(+), 1 deletion(-) > create mode 100644 meta/recipes-core/ncurses/files/CVE-2023-29491.patch > > diff --git a/meta/recipes-core/ncurses/files/CVE-2023-29491.patch b/meta/recipes-core/ncurses/files/CVE-2023-29491.patch > new file mode 100644 > index 0000000000..0a0497723f > --- /dev/null > +++ b/meta/recipes-core/ncurses/files/CVE-2023-29491.patch > @@ -0,0 +1,45 @@ > +Backport of: > + > +Author: Sven Joachim <svenjoac@gmx.de> > +Description: Change the --disable-root-environ configure option behavior > + By default, the --disable-root-environ option forbids program run by > + the superuser to load custom terminfo entries. This patch changes > + that to only restrict programs running with elevated privileges, > + matching the behavior of the --disable-setuid-environ option > + introduced in the 20230423 upstream patchlevel. > +Bug-Debian: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs.debian.org%2Fcgi-bin%2Fbugreport.cgi%3Fbug%3D1034372%2329&data=05%7C02%7Cvirendra.thakur%40kpit.com%7Cd31a478dec7945728e6f08dc271d6bcb%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C638428255048404837%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=cMsxMvtqOpOOFjzU%2FB14ljA5pR9vnIvoQqsNxtr3WXY%3D&reserved=0<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034372#29> > +Bug: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.gnu.org%2Farchive%2Fhtml%2Fbug-ncurses%2F2023-04%2Fmsg00018.html&data=05%7C02%7Cvirendra.thakur%40kpit.com%7Cd31a478dec7945728e6f08dc271d6bcb%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C638428255048409974%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=kKMjn6zpUW8y%2FZfbtC2XXRMAtWTysYOcLCZi8Z3G11g%3D&reserved=0<https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00018.html> > +Forwarded: not-needed > +Last-Update: 2023-05-01 > + > +Upstream-Status: Backport [https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flaunchpad.net%2Fubuntu%2F%2Barchive%2Fprimary%2F%2Bsourcefiles%2Fncurses%2F6.2-0ubuntu2.1%2Fncurses_6.2-0ubuntu2.1.debian.tar.xz&data=05%7C02%7Cvirendra.thakur%40kpit.com%7Cd31a478dec7945728e6f08dc271d6bcb%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C638428255048414664%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=u83EcogJWrMJmjwXEwTACkaMmPNrm2Dzn%2BDJgSzJbcI%3D&reserved=0<https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/ncurses/6.2-0ubuntu2.1/ncurses_6.2-0ubuntu2.1.debian.tar.xz>] Ubuntu launchpad is not the upstream for ncurses. Please reference the actual upstream commit in a V2. Thanks! Steve > +CVE: CVE-2023-29491 > +Signed-off-by: Virendra Thakur <virendrak@kpit.com> > + > +--- > + ncurses/tinfo/access.c | 2 -- > + 1 file changed, 2 deletions(-) > + > +--- a/ncurses/tinfo/access.c > ++++ b/ncurses/tinfo/access.c > +@@ -178,15 +178,16 @@ _nc_is_file_path(const char *path) > + NCURSES_EXPORT(int) > + _nc_env_access(void) > + { > ++ int result = TRUE; > ++ > + #if HAVE_ISSETUGID > + if (issetugid()) > +- return FALSE; > ++ result = FALSE; > + #elif HAVE_GETEUID && HAVE_GETEGID > + if (getuid() != geteuid() > + || getgid() != getegid()) > +- return FALSE; > ++ result = FALSE; > + #endif > +- /* ...finally, disallow root */ > +- return (getuid() != ROOT_UID) && (geteuid() != ROOT_UID); > ++ return result; > + } > + #endif > diff --git a/meta/recipes-core/ncurses/ncurses_6.2.bb b/meta/recipes-core/ncurses/ncurses_6.2.bb > index 451bfbcb5d..33285bcb5b 100644 > --- a/meta/recipes-core/ncurses/ncurses_6.2.bb > +++ b/meta/recipes-core/ncurses/ncurses_6.2.bb > @@ -5,11 +5,12 @@ SRC_URI += "file://0001-tic-hang.patch \ > file://0003-gen-pkgconfig.in-Do-not-include-LDFLAGS-in-generated.patch \ > file://CVE-2021-39537.patch \ > file://CVE-2022-29458.patch \ > + file://CVE-2023-29491.patch \ > " > # commit id corresponds to the revision in package version > SRCREV = "a669013cd5e9d6434e5301348ea51baf306c93c4" > S = "${WORKDIR}/git" > -EXTRA_OECONF += "--with-abi-version=5" > +EXTRA_OECONF += "--with-abi-version=5 --disable-root-environ" > UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+(\+\d+)*)" > > # This is needed when using patchlevel versions like 6.1+20181013 > -- > 2.25.1 > > > > This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
diff --git a/meta/recipes-core/ncurses/files/CVE-2023-29491.patch b/meta/recipes-core/ncurses/files/CVE-2023-29491.patch new file mode 100644 index 0000000000..0a0497723f --- /dev/null +++ b/meta/recipes-core/ncurses/files/CVE-2023-29491.patch @@ -0,0 +1,45 @@ +Backport of: + +Author: Sven Joachim <svenjoac@gmx.de> +Description: Change the --disable-root-environ configure option behavior + By default, the --disable-root-environ option forbids program run by + the superuser to load custom terminfo entries. This patch changes + that to only restrict programs running with elevated privileges, + matching the behavior of the --disable-setuid-environ option + introduced in the 20230423 upstream patchlevel. +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034372#29 +Bug: https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00018.html +Forwarded: not-needed +Last-Update: 2023-05-01 + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/ncurses/6.2-0ubuntu2.1/ncurses_6.2-0ubuntu2.1.debian.tar.xz] +CVE: CVE-2023-29491 +Signed-off-by: Virendra Thakur <virendrak@kpit.com> + +--- + ncurses/tinfo/access.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/ncurses/tinfo/access.c ++++ b/ncurses/tinfo/access.c +@@ -178,15 +178,16 @@ _nc_is_file_path(const char *path) + NCURSES_EXPORT(int) + _nc_env_access(void) + { ++ int result = TRUE; ++ + #if HAVE_ISSETUGID + if (issetugid()) +- return FALSE; ++ result = FALSE; + #elif HAVE_GETEUID && HAVE_GETEGID + if (getuid() != geteuid() + || getgid() != getegid()) +- return FALSE; ++ result = FALSE; + #endif +- /* ...finally, disallow root */ +- return (getuid() != ROOT_UID) && (geteuid() != ROOT_UID); ++ return result; + } + #endif diff --git a/meta/recipes-core/ncurses/ncurses_6.2.bb b/meta/recipes-core/ncurses/ncurses_6.2.bb index 451bfbcb5d..33285bcb5b 100644 --- a/meta/recipes-core/ncurses/ncurses_6.2.bb +++ b/meta/recipes-core/ncurses/ncurses_6.2.bb @@ -5,11 +5,12 @@ SRC_URI += "file://0001-tic-hang.patch \ file://0003-gen-pkgconfig.in-Do-not-include-LDFLAGS-in-generated.patch \ file://CVE-2021-39537.patch \ file://CVE-2022-29458.patch \ + file://CVE-2023-29491.patch \ " # commit id corresponds to the revision in package version SRCREV = "a669013cd5e9d6434e5301348ea51baf306c93c4" S = "${WORKDIR}/git" -EXTRA_OECONF += "--with-abi-version=5" +EXTRA_OECONF += "--with-abi-version=5 --disable-root-environ" UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+(\+\d+)*)" # This is needed when using patchlevel versions like 6.1+20181013
memory corruption when processing malformed terminfo data entries loaded by setuid/setgid programs CVE-2023-29491.patch change the --disable-root-environ configure option behavior. set --disable-root-environ in configuration options. --disable-root-environ option with a few additional changes to the code allows us to mitigate CVE-2023-29491 and avoid other issues that involve the possibility of malicious use of environment variables through setuid applications, and, therefore, it was the fix chosen in order to resolve this vulnerability. Reference: https://ubuntu.com/security/CVE-2023-29491 https://launchpad.net/ubuntu/+source/ncurses/6.2-0ubuntu2.1 Signed-off-by: virendra thakur <virendrak@kpit.com> --- .../ncurses/files/CVE-2023-29491.patch | 45 +++++++++++++++++++ meta/recipes-core/ncurses/ncurses_6.2.bb | 3 +- 2 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-core/ncurses/files/CVE-2023-29491.patch