Hi Marek,

Could you please describe why you add this configuration in kirkstone branch?
This CVE is already patched:
https://git.openembedded.org/openembedded-core/tree/meta/recipes-core/ncurses/files/CVE-2023-29491.patch?h=kirkstone

Peter

-----Original Message-----
From: [email protected] 
<[email protected]> On Behalf Of Marek Vasut via 
lists.openembedded.org
Sent: Monday, October 9, 2023 18:32
To: [email protected]; [email protected]
Cc: Marek Vasut <[email protected]>
Subject: [OE-core] [kirkstone][PATCH] ncurses: Mitigate CVE-2023-29491

> Configure with "--disable-root-environ" to disallow loading of custom 
> terminfo entries in setuid/setgid programs, mitigating the impact of 
> CVE-2023-29491.
>
> This is taken from debian:
> https://salsa.debian.org/debian/ncurses/-/commit/1c530aad772f7aeef039b8780d51cd09bd5a08ac
>
> Signed-off-by: Marek Vasut <[email protected]>
> ---
>  meta/recipes-core/ncurses/ncurses.inc | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/meta/recipes-core/ncurses/ncurses.inc 
> b/meta/recipes-core/ncurses/ncurses.inc
> index 1abcfae1fe..7e85044bdb 100644
> --- a/meta/recipes-core/ncurses/ncurses.inc
> +++ b/meta/recipes-core/ncurses/ncurses.inc
> @@ -87,6 +87,7 @@ ncurses_configure() {
>               --enable-sigwinch \
>               --enable-pc-files \
>               --disable-rpath-hack \
> +             --disable-root-environ \
>               ${EXCONFIG_ARGS} \
>               --with-manpage-format=normal \
>               --without-manpage-renames \
> --
> 2.40.1

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#188852): 
https://lists.openembedded.org/g/openembedded-core/message/188852
Mute This Topic: https://lists.openembedded.org/mt/101856357/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to