subject:"\[OE\-core\] \[kirkstone\]\[PATCH\] ncurses\: Mitigate CVE\-2023\-29491"

Re: [OE-core] [kirkstone][PATCH] ncurses: Mitigate CVE-2023-29491

2023-10-09 Thread Marek Vasut


On 10/9/23 18:47, Marko, Peter wrote:

Hi Marek,

Could you please describe why you add this configuration in kirkstone branch?
This CVE is already patched:
https://git.openembedded.org/openembedded-core/tree/meta/recipes-core/ncurses/files/CVE-2023-29491.patch?h=kirkstone

Peter

-Original Message-
From: openembedded-core@lists.openembedded.org 
 On Behalf Of Marek Vasut via 
lists.openembedded.org
Sent: Monday, October 9, 2023 18:32
To: st...@sakoman.com; openembedded-core@lists.openembedded.org
Cc: Marek Vasut 
Subject: [OE-core] [kirkstone][PATCH] ncurses: Mitigate CVE-2023-29491


Configure with "--disable-root-environ" to disallow loading of custom terminfo 
entries in setuid/setgid programs, mitigating the impact of CVE-2023-29491.

This is taken from debian:
https://salsa.debian.org/debian/ncurses/-/commit/1c530aad772f7aeef039b8780d51cd09bd5a08ac

Signed-off-by: Marek Vasut 
---
  meta/recipes-core/ncurses/ncurses.inc | 1 +
  1 file changed, 1 insertion(+)

diff --git a/meta/recipes-core/ncurses/ncurses.inc 
b/meta/recipes-core/ncurses/ncurses.inc
index 1abcfae1fe..7e85044bdb 100644
--- a/meta/recipes-core/ncurses/ncurses.inc
+++ b/meta/recipes-core/ncurses/ncurses.inc
@@ -87,6 +87,7 @@ ncurses_configure() {
--enable-sigwinch \
--enable-pc-files \
--disable-rpath-hack \
+   --disable-root-environ \
${EXCONFIG_ARGS} \
--with-manpage-format=normal \
--without-manpage-renames \


See my reply to the master branch patch.

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#188857): 
https://lists.openembedded.org/g/openembedded-core/message/188857
Mute This Topic: https://lists.openembedded.org/mt/101856357/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [kirkstone][PATCH] ncurses: Mitigate CVE-2023-29491

2023-10-09 Thread Peter Marko via lists.openembedded.org

Hi Marek,

Could you please describe why you add this configuration in kirkstone branch?
This CVE is already patched:
https://git.openembedded.org/openembedded-core/tree/meta/recipes-core/ncurses/files/CVE-2023-29491.patch?h=kirkstone

Peter

-Original Message-
From: openembedded-core@lists.openembedded.org 
 On Behalf Of Marek Vasut via 
lists.openembedded.org
Sent: Monday, October 9, 2023 18:32
To: st...@sakoman.com; openembedded-core@lists.openembedded.org
Cc: Marek Vasut 
Subject: [OE-core] [kirkstone][PATCH] ncurses: Mitigate CVE-2023-29491

> Configure with "--disable-root-environ" to disallow loading of custom 
> terminfo entries in setuid/setgid programs, mitigating the impact of 
> CVE-2023-29491.
>
> This is taken from debian:
> https://salsa.debian.org/debian/ncurses/-/commit/1c530aad772f7aeef039b8780d51cd09bd5a08ac
>
> Signed-off-by: Marek Vasut 
> ---
>  meta/recipes-core/ncurses/ncurses.inc | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/meta/recipes-core/ncurses/ncurses.inc 
> b/meta/recipes-core/ncurses/ncurses.inc
> index 1abcfae1fe..7e85044bdb 100644
> --- a/meta/recipes-core/ncurses/ncurses.inc
> +++ b/meta/recipes-core/ncurses/ncurses.inc
> @@ -87,6 +87,7 @@ ncurses_configure() {
>   --enable-sigwinch \
>   --enable-pc-files \
>   --disable-rpath-hack \
> + --disable-root-environ \
>   ${EXCONFIG_ARGS} \
>   --with-manpage-format=normal \
>   --without-manpage-renames \
> --
> 2.40.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#188852): 
https://lists.openembedded.org/g/openembedded-core/message/188852
Mute This Topic: https://lists.openembedded.org/mt/101856357/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] [kirkstone][PATCH] ncurses: Mitigate CVE-2023-29491

2023-10-09 Thread Marek Vasut

Configure with "--disable-root-environ" to disallow loading of
custom terminfo entries in setuid/setgid programs, mitigating the
impact of CVE-2023-29491.

This is taken from debian:
https://salsa.debian.org/debian/ncurses/-/commit/1c530aad772f7aeef039b8780d51cd09bd5a08ac

Signed-off-by: Marek Vasut 
---
 meta/recipes-core/ncurses/ncurses.inc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/recipes-core/ncurses/ncurses.inc 
b/meta/recipes-core/ncurses/ncurses.inc
index 1abcfae1fe..7e85044bdb 100644
--- a/meta/recipes-core/ncurses/ncurses.inc
+++ b/meta/recipes-core/ncurses/ncurses.inc
@@ -87,6 +87,7 @@ ncurses_configure() {
--enable-sigwinch \
--enable-pc-files \
--disable-rpath-hack \
+   --disable-root-environ \
${EXCONFIG_ARGS} \
--with-manpage-format=normal \
--without-manpage-renames \
-- 
2.40.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#188848): 
https://lists.openembedded.org/g/openembedded-core/message/188848
Mute This Topic: https://lists.openembedded.org/mt/101856357/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [kirkstone][PATCH] ncurses: Mitigate CVE-2023-29491

Re: [OE-core] [kirkstone][PATCH] ncurses: Mitigate CVE-2023-29491

[OE-core] [kirkstone][PATCH] ncurses: Mitigate CVE-2023-29491

3 matches

Site Navigation

Mail list logo

Footer information