-----Original Message----- From: Marek Vasut <[email protected]> Sent: Monday, October 9, 2023 18:57 To: Marko, Peter (ADV D EU SK BFS1) <[email protected]>; [email protected] Cc: Alexandre Belloni <[email protected]>; [email protected]; [email protected] Subject: Re: [OE-core] [PATCH] ncurses: Mitigate CVE-2023-29491
> On 10/9/23 18:51, Marko, Peter wrote: > > -----Original Message----- > > From: [email protected] > > <[email protected]> On Behalf Of Richard Purdie > > via lists.openembedded.org > > Sent: Monday, October 9, 2023 18:44 > > To: Marek Vasut <[email protected]>; [email protected]; > > [email protected] > > Cc: Alexandre Belloni <[email protected]> > > Subject: Re: [OE-core] [PATCH] ncurses: Mitigate CVE-2023-29491 > > > >> On Mon, 2023-10-09 at 18:31 +0200, Marek Vasut wrote: > >>> Configure with "--disable-root-environ" to disallow loading of > >>> custom terminfo entries in setuid/setgid programs, mitigating the > >>> impact of CVE-2023-29491. > >>> > >>> This is taken from debian: > >>> https://salsa.debian.org/debian/ncurses/-/commit/1c530aad772f7aeef03 > >>> 9b > >>> 8780d51cd09bd5a08ac > >>> > >>> Signed-off-by: Marek Vasut <[email protected]> > >>> --- > >>> Cc: Alexandre Belloni <[email protected]> > >>> Cc: Richard Purdie <[email protected]> > >>> --- > >>> meta/recipes-core/ncurses/ncurses.inc | 1 + > >>> 1 file changed, 1 insertion(+) > >>> > >>> diff --git a/meta/recipes-core/ncurses/ncurses.inc > >>> b/meta/recipes-core/ncurses/ncurses.inc > >>> index 367f3b19f4..1bc07ec2d4 100644 > >>> --- a/meta/recipes-core/ncurses/ncurses.inc > >>> +++ b/meta/recipes-core/ncurses/ncurses.inc > >>> @@ -87,6 +87,7 @@ ncurses_configure() { > >>> --enable-sigwinch \ > >>> --enable-pc-files \ > >>> --disable-rpath-hack \ > >>> + --disable-root-environ \ > >>> ${EXCONFIG_ARGS} \ > >>> --with-manpage-format=normal \ > >>> --without-manpage-renames \ > >> > >> Should the patch add a CVE_STATUS entry as well so the cve tooling can > >> tell we've mitigated this? > > > > ncurses 6.4 is not affected and not shown in CVE report, not sure why this > > is submitted for master. > > Peter > > Just wanted to make sure the configuration is consistent across all the > releases. I think that the commit message should be changed. It's misleading when it only says that it mitigates already fixed CVE. Peter
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#188858): https://lists.openembedded.org/g/openembedded-core/message/188858 Mute This Topic: https://lists.openembedded.org/mt/101856335/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
