-----Original Message----- From: [email protected] <[email protected]> On Behalf Of Richard Purdie via lists.openembedded.org Sent: Monday, October 9, 2023 18:44 To: Marek Vasut <[email protected]>; [email protected]; [email protected] Cc: Alexandre Belloni <[email protected]> Subject: Re: [OE-core] [PATCH] ncurses: Mitigate CVE-2023-29491
> On Mon, 2023-10-09 at 18:31 +0200, Marek Vasut wrote: > > Configure with "--disable-root-environ" to disallow loading of custom > > terminfo entries in setuid/setgid programs, mitigating the impact of > > CVE-2023-29491. > > > > This is taken from debian: > > https://salsa.debian.org/debian/ncurses/-/commit/1c530aad772f7aeef039b > > 8780d51cd09bd5a08ac > > > > Signed-off-by: Marek Vasut <[email protected]> > > --- > > Cc: Alexandre Belloni <[email protected]> > > Cc: Richard Purdie <[email protected]> > > --- > > meta/recipes-core/ncurses/ncurses.inc | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/meta/recipes-core/ncurses/ncurses.inc > > b/meta/recipes-core/ncurses/ncurses.inc > > index 367f3b19f4..1bc07ec2d4 100644 > > --- a/meta/recipes-core/ncurses/ncurses.inc > > +++ b/meta/recipes-core/ncurses/ncurses.inc > > @@ -87,6 +87,7 @@ ncurses_configure() { > > --enable-sigwinch \ > > --enable-pc-files \ > > --disable-rpath-hack \ > > + --disable-root-environ \ > > ${EXCONFIG_ARGS} \ > > --with-manpage-format=normal \ > > --without-manpage-renames \ > > Should the patch add a CVE_STATUS entry as well so the cve tooling can tell > we've mitigated this? ncurses 6.4 is not affected and not shown in CVE report, not sure why this is submitted for master. Peter > > Cheers, > > Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#188853): https://lists.openembedded.org/g/openembedded-core/message/188853 Mute This Topic: https://lists.openembedded.org/mt/101856335/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
