Control: tags -1 moreinfo confirmed On 2023-05-01 18:32:20 +0200, Sven Joachim wrote: > Package: release.debian.org > Severity: normal > User: release.debian....@packages.debian.org > Usertags: unblock > Tags: d-i > X-Debbugs-Cc: ncur...@packages.debian.org, debian-b...@lists.debian.org > Control: affects -1 + src:ncurses > > I would like to address CVE-2023-29491[1] aka bug #1034372[2] in > Bookworm.
Please go ahead and remove the moreinfo tag once the version is available in unstable. Cheers > > [ Reason ] > Various memory corruption bugs exist when loading specifically crafted > terminfo database files. This is a security problem in programs running > with elevated privileges, as users are allowed to provide their own > terminfo files under ${HOME}/.terminfo or via the TERMINFO or > TERMINFO_DIRS environment variables. > > Backporting the upstream fixes seems to be too risky this late in the > release process, but via a configure option it is possible to prevent > setuid/setgid programs from loading custom terminfo files supplied by > the user, after which the bugs are no longer security relevant. > > [ Impact ] > Local users could try privilege escalations in setuid/setgid programs > linked to the tinfo library. How easily those can be achieved probably > depends on the program. > > [ Tests ] > No automatic tests exist. I have manually verified that programs can no > longer use custom terminfo files if their effective UID or GID differs > from the real one. Also I have verified that the terminfo database in > the ncurses-{base,term} packages is unchanged from 6.4-2. > > [ Risks ] > Users who are relying on their own terminfo files under > ${HOME}/.terminfo can no longer use them in setuid/setgid programs and > will have to work around that, e.g. by changing their TERM variable, > using a different terminal emulator or asking their sysadmin for help. > > On my systems I did not find any setuid binaries linked to the tinfo > library, but some setgid games in the bsdgames package. > > [ Checklist ] > [x] all changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in testing > > I have slightly edited the debdiff to exclude spurious changes to the > debian/lib{32,64}tinfo6.symbols files, as these are just symlinks to > libtinfo6.symbols. See devscripts bug #773762[3]. > > [ Other info ] > Since ncurses produces udebs, I have CC'ed debian-boot and tagged the > bug accordingly. There should be no effect on the installer, as I would > expect it to run all programs as root. > > Thanks for consideration. > > Cheers, > Sven > > > 1. https://security-tracker.debian.org/tracker/CVE-2023-29491 > 2. https://bugs.debian.org/1034372 > 3. https://bugs.debian.org/773762 > > diff -Nru ncurses-6.4/debian/changelog ncurses-6.4/debian/changelog > --- ncurses-6.4/debian/changelog 2023-01-25 21:21:49.000000000 +0100 > +++ ncurses-6.4/debian/changelog 2023-05-01 17:57:51.000000000 +0200 > @@ -1,3 +1,21 @@ > +ncurses (6.4-3) unstable; urgency=medium > + > + * Configure with "--disable-root-environ" to disallow loading of > + custom terminfo entries in setuid/setgid programs, mitigating the > + impact of CVE-2023-29491 (see #1034372). > + - Update the symbols files for the newly exported symbol > + _nc_env_access. > + - New patch fix-configure-root-args-option.diff cherry-picked from > + the 20230415 patchlevel, fixing a copy/paste error which caused > + the "--disable-root-environ" configure option to pick up code > + meant to be used by the "--disable-root-args" option instead. > + - New patch debian-env-access.diff, changing the behavior of the > + "--disable-root-environ" configure option to not restrict programs > + run by the superuser, equivalent to the "--disable-setuid-environ" > + option introduced in the 20230423 patchlevel. > + > + -- Sven Joachim <svenj...@gmx.de> Mon, 01 May 2023 17:57:51 +0200 > + > ncurses (6.4-2) unstable; urgency=medium > > * Add Breaks against vim-common (<< 2:9.0.1000-2) to ncurses-base > diff -Nru ncurses-6.4/debian/libtinfo5.symbols > ncurses-6.4/debian/libtinfo5.symbols > --- ncurses-6.4/debian/libtinfo5.symbols 2023-01-22 17:54:52.000000000 > +0100 > +++ ncurses-6.4/debian/libtinfo5.symbols 2023-05-01 11:36:38.000000000 > +0200 > @@ -95,6 +95,7 @@ > _nc_curr_col@NCURSES_TINFO_5.0.19991023 6 > _nc_curr_line@NCURSES_TINFO_5.0.19991023 6 > _nc_doalloc@NCURSES_TINFO_5.0.19991023 6 > + _nc_env_access@NCURSES_TINFO_5.2.20001021 6.4-3~ > _nc_err_abort@NCURSES_TINFO_5.0.19991023 6 > _nc_fallback@NCURSES_TINFO_5.0.19991023 6 > _nc_find_entry@NCURSES_TINFO_5.0.19991023 6 > diff -Nru ncurses-6.4/debian/libtinfo6.symbols > ncurses-6.4/debian/libtinfo6.symbols > --- ncurses-6.4/debian/libtinfo6.symbols 2023-01-22 17:54:52.000000000 > +0100 > +++ ncurses-6.4/debian/libtinfo6.symbols 2023-05-01 11:36:38.000000000 > +0200 > @@ -94,6 +94,7 @@ > _nc_curr_col@NCURSES6_TINFO_5.0.19991023 6 > _nc_curr_line@NCURSES6_TINFO_5.0.19991023 6 > _nc_doalloc@NCURSES6_TINFO_5.0.19991023 6 > + _nc_env_access@NCURSES6_TINFO_5.2.20001021 6.4-3~ > _nc_err_abort@NCURSES6_TINFO_5.0.19991023 6 > _nc_export_termtype2@NCURSES6_TINFO_6.1.20171230 6.1 > _nc_fallback2@NCURSES6_TINFO_6.1.20171230 6.1 > diff -Nru ncurses-6.4/debian/patches/debian-env-access.diff > ncurses-6.4/debian/patches/debian-env-access.diff > --- ncurses-6.4/debian/patches/debian-env-access.diff 1970-01-01 > 01:00:00.000000000 +0100 > +++ ncurses-6.4/debian/patches/debian-env-access.diff 2023-05-01 > 11:31:44.000000000 +0200 > @@ -0,0 +1,27 @@ > +Author: Sven Joachim <svenj...@gmx.de> > +Description: Change the --disable-root-environ configure option behavior > + By default, the --disable-root-environ option forbids program run by > + the superuser to load custom terminfo entries. This patch changes > + that to only restrict programs running with elevated privileges, > + matching the behavior of the --disable-setuid-environ option > + introduced in the 20230423 upstream patchlevel. > +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034372#29 > +Bug: https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00018.html > +Forwarded: not-needed > +Last-Update: 2023-05-01 > + > +--- > + ncurses/tinfo/access.c | 2 -- > + 1 file changed, 2 deletions(-) > + > +--- a/ncurses/tinfo/access.c > ++++ b/ncurses/tinfo/access.c > +@@ -215,8 +215,6 @@ _nc_env_access(void) > + > + if (is_elevated()) { > + result = FALSE; > +- } else if ((getuid() == ROOT_UID) || (geteuid() == ROOT_UID)) { > +- result = FALSE; > + } > + return result; > + } > diff -Nru ncurses-6.4/debian/patches/fix-configure-root-args-option.diff > ncurses-6.4/debian/patches/fix-configure-root-args-option.diff > --- ncurses-6.4/debian/patches/fix-configure-root-args-option.diff > 1970-01-01 01:00:00.000000000 +0100 > +++ ncurses-6.4/debian/patches/fix-configure-root-args-option.diff > 2023-05-01 11:31:04.000000000 +0200 > @@ -0,0 +1,24 @@ > +Author: Sven Joachim <svenj...@gmx.de> > +Description: Fix copy/paste error in configure.in > + Fix the --disable-root-access and --disableroot-environ configure > + options. Due to a copy/paste error, the latter performs the actions > + of the former, while the --disable-root-access option has no effect > + at all. > +Forwarded: > https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00003.html > +Last-Update: 2023-05-01 > + > +--- > + configure.in | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +--- a/configure.in > ++++ b/configure.in > +@@ -868,7 +868,7 @@ AC_MSG_RESULT($with_root_environ) > + test "x$with_root_environ" = xyes && AC_DEFINE(USE_ROOT_ENVIRON,1,[Define > to 1 if root is allowed to use ncurses environment]) > + > + AC_MSG_CHECKING(if you want to permit setuid programs to access all files) > +-AC_ARG_ENABLE(root-environ, > ++AC_ARG_ENABLE(root-access, > + [ --disable-root-access restrict file-access when running setuid], > + [with_root_access=$enableval], > + [with_root_access=yes]) > diff -Nru ncurses-6.4/debian/patches/series ncurses-6.4/debian/patches/series > --- ncurses-6.4/debian/patches/series 2023-01-22 18:31:25.000000000 +0100 > +++ ncurses-6.4/debian/patches/series 2023-05-01 11:31:44.000000000 +0200 > @@ -3,3 +3,5 @@ > 02-debian-xterm.diff > 03-debian-ncursesconfig-omit-L.diff > fix_crash_on_very_long_tc-use_clause.diff > +fix-configure-root-args-option.diff > +debian-env-access.diff > diff -Nru ncurses-6.4/debian/rules ncurses-6.4/debian/rules > --- ncurses-6.4/debian/rules 2023-01-22 19:46:39.000000000 +0100 > +++ ncurses-6.4/debian/rules 2023-05-01 11:36:38.000000000 +0200 > @@ -148,6 +148,7 @@ > --without-progs \ > $(with_mouse) \ > --enable-symlinks \ > + --disable-root-environ \ > --disable-termcap \ > --with-default-terminfo-dir=/etc/terminfo \ > > --with-terminfo-dirs="/etc/terminfo:/lib/terminfo:/usr/share/terminfo" \ -- Sebastian Ramacher