Hi Marek, Could you please describe why you add this configuration in kirkstone branch? This CVE is already patched: https://git.openembedded.org/openembedded-core/tree/meta/recipes-core/ncurses/files/CVE-2023-29491.patch?h=kirkstone
Peter -----Original Message----- From: [email protected] <[email protected]> On Behalf Of Marek Vasut via lists.openembedded.org Sent: Monday, October 9, 2023 18:32 To: [email protected]; [email protected] Cc: Marek Vasut <[email protected]> Subject: [OE-core] [kirkstone][PATCH] ncurses: Mitigate CVE-2023-29491 > Configure with "--disable-root-environ" to disallow loading of custom > terminfo entries in setuid/setgid programs, mitigating the impact of > CVE-2023-29491. > > This is taken from debian: > https://salsa.debian.org/debian/ncurses/-/commit/1c530aad772f7aeef039b8780d51cd09bd5a08ac > > Signed-off-by: Marek Vasut <[email protected]> > --- > meta/recipes-core/ncurses/ncurses.inc | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/meta/recipes-core/ncurses/ncurses.inc > b/meta/recipes-core/ncurses/ncurses.inc > index 1abcfae1fe..7e85044bdb 100644 > --- a/meta/recipes-core/ncurses/ncurses.inc > +++ b/meta/recipes-core/ncurses/ncurses.inc > @@ -87,6 +87,7 @@ ncurses_configure() { > --enable-sigwinch \ > --enable-pc-files \ > --disable-rpath-hack \ > + --disable-root-environ \ > ${EXCONFIG_ARGS} \ > --with-manpage-format=normal \ > --without-manpage-renames \ > -- > 2.40.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#188852): https://lists.openembedded.org/g/openembedded-core/message/188852 Mute This Topic: https://lists.openembedded.org/mt/101856357/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
