On 10/9/23 18:51, Marko, Peter wrote:
-----Original Message-----
From: [email protected]
<[email protected]> On Behalf Of Richard Purdie via
lists.openembedded.org
Sent: Monday, October 9, 2023 18:44
To: Marek Vasut <[email protected]>; [email protected];
[email protected]
Cc: Alexandre Belloni <[email protected]>
Subject: Re: [OE-core] [PATCH] ncurses: Mitigate CVE-2023-29491
On Mon, 2023-10-09 at 18:31 +0200, Marek Vasut wrote:
Configure with "--disable-root-environ" to disallow loading of custom
terminfo entries in setuid/setgid programs, mitigating the impact of
CVE-2023-29491.
This is taken from debian:
https://salsa.debian.org/debian/ncurses/-/commit/1c530aad772f7aeef039b
8780d51cd09bd5a08ac
Signed-off-by: Marek Vasut <[email protected]>
---
Cc: Alexandre Belloni <[email protected]>
Cc: Richard Purdie <[email protected]>
---
meta/recipes-core/ncurses/ncurses.inc | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-core/ncurses/ncurses.inc
b/meta/recipes-core/ncurses/ncurses.inc
index 367f3b19f4..1bc07ec2d4 100644
--- a/meta/recipes-core/ncurses/ncurses.inc
+++ b/meta/recipes-core/ncurses/ncurses.inc
@@ -87,6 +87,7 @@ ncurses_configure() {
--enable-sigwinch \
--enable-pc-files \
--disable-rpath-hack \
+ --disable-root-environ \
${EXCONFIG_ARGS} \
--with-manpage-format=normal \
--without-manpage-renames \
Should the patch add a CVE_STATUS entry as well so the cve tooling can tell
we've mitigated this?
ncurses 6.4 is not affected and not shown in CVE report, not sure why this is
submitted for master.
Peter
Just wanted to make sure the configuration is consistent across all the
releases.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#188856):
https://lists.openembedded.org/g/openembedded-core/message/188856
Mute This Topic: https://lists.openembedded.org/mt/101856335/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-