Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1034372: ncurses: CVE-2023-29491
70 views
Skip to first unread message
Moritz Mühlenhoff
Apr 13, 2023, 2:50:03 PM4/13/23
to
Source: ncurses
X-Debbugs-CC: te...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for ncurses.
CVE-2023-29491 was assigned to https://invisible-island.net/ncurses/NEWS.html#index-t20230408
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-29491
https://www.cve.org/CVERecord?id=CVE-2023-29491
Please adjust the affected versions in the BTS as needed.
X-Debbugs-CC: te...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for ncurses.
CVE-2023-29491 was assigned to https://invisible-island.net/ncurses/NEWS.html#index-t20230408
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-29491
https://www.cve.org/CVERecord?id=CVE-2023-29491
Please adjust the affected versions in the BTS as needed.
Sven Joachim
Apr 15, 2023, 3:10:04 AM4/15/23
to
On 2023-04-13 20:39 +0200, Moritz Mühlenhoff wrote:
> The following vulnerability was published for ncurses.
>
> CVE-2023-29491 was assigned to https://invisible-island.net/ncurses/NEWS.html#index-t20230408
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2023-29491
> https://www.cve.org/CVERecord?id=CVE-2023-29491
Security boundaries are only crossed for setuid/setgid programs here,
> The following vulnerability was published for ncurses.
>
> CVE-2023-29491 was assigned to https://invisible-island.net/ncurses/NEWS.html#index-t20230408
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2023-29491
> https://www.cve.org/CVERecord?id=CVE-2023-29491
and we probably do not have many setuid binaries linked to libtinfo in
the distribution (on my system, I could not find any). So I guess you
probably do not want to issue a DSA here, right?
Gentoo users have noticed a few problems after upgrading to the 20230408
patchlevel[1,2,3], most notably output of openrc being completely
broken. While we do not have that particular problem because openrc in
Debian is built without ncurses support, I do not currently have an idea
which other packages might show misbehavior. So I am rather reluctant
to fix this bug before the bookworm release.
Cheers,
Sven
1. https://bugs.gentoo.org/904247
2. https://bugs.gentoo.org/904263
3. https://bugs.gentoo.org/904277
Thomas Dickey
Apr 15, 2023, 7:42:26 AM4/15/23
to
On Sat, Apr 15, 2023 at 09:05:25AM +0200, Sven Joachim wrote:
> On 2023-04-13 20:39 +0200, Moritz Mühlenhoff wrote:
>
> > The following vulnerability was published for ncurses.
> >
> > CVE-2023-29491 was assigned to https://invisible-island.net/ncurses/NEWS.html#index-t20230408
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> >
> > [0] https://security-tracker.debian.org/tracker/CVE-2023-29491
> > https://www.cve.org/CVERecord?id=CVE-2023-29491
>
> Security boundaries are only crossed for setuid/setgid programs here,
> and we probably do not have many setuid binaries linked to libtinfo in
> the distribution (on my system, I could not find any). So I guess you
> probably do not want to issue a DSA here, right?
>
> Gentoo users have noticed a few problems after upgrading to the 20230408
> patchlevel[1,2,3], most notably output of openrc being completely
> broken. While we do not have that particular problem because openrc in
It was already broken (the "(null)" strings come from its misuse of the
> On 2023-04-13 20:39 +0200, Moritz Mühlenhoff wrote:
>
> > The following vulnerability was published for ncurses.
> >
> > CVE-2023-29491 was assigned to https://invisible-island.net/ncurses/NEWS.html#index-t20230408
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> >
> > [0] https://security-tracker.debian.org/tracker/CVE-2023-29491
> > https://www.cve.org/CVERecord?id=CVE-2023-29491
>
> Security boundaries are only crossed for setuid/setgid programs here,
> and we probably do not have many setuid binaries linked to libtinfo in
> the distribution (on my system, I could not find any). So I guess you
> probably do not want to issue a DSA here, right?
>
> Gentoo users have noticed a few problems after upgrading to the 20230408
> patchlevel[1,2,3], most notably output of openrc being completely
> broken. While we do not have that particular problem because openrc in
ncurses interface, which will require fixes in OpenRC). I'm not going
to provide a patch for OpenRC itself - any maintainer should be able to
do _that_.
Today I'll put out the fix for zero-parameter tsl, along with similar minor
improvements, and if nothing else surfaces, use that as the basis for the
security-patch.
> Debian is built without ncurses support, I do not currently have an idea
> which other packages might show misbehavior. So I am rather reluctant
> to fix this bug before the bookworm release.
I'm addressing their concerns as well as I'm able.
> Cheers,
> Sven
>
>
> 1. https://bugs.gentoo.org/904247
> 2. https://bugs.gentoo.org/904263
> 3. https://bugs.gentoo.org/904277
>
Thomas E. Dickey <dic...@invisible-island.net>
https://invisible-island.net
Thomas Dickey
Apr 18, 2023, 8:33:18 PM4/18/23
to
On Sat, Apr 15, 2023 at 07:27:45AM -0400, Thomas Dickey wrote:
> On Sat, Apr 15, 2023 at 09:05:25AM +0200, Sven Joachim wrote:
> > On 2023-04-13 20:39 +0200, Moritz Mühlenhoff wrote:
> >
> > > The following vulnerability was published for ncurses.
> > >
> > > CVE-2023-29491 was assigned to https://invisible-island.net/ncurses/NEWS.html#index-t20230408
> > >
> > > If you fix the vulnerability please also make sure to include the
> > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> > >
> > > For further information see:
> > >
> > > [0] https://security-tracker.debian.org/tracker/CVE-2023-29491
> > > https://www.cve.org/CVERecord?id=CVE-2023-29491
> >
> > Security boundaries are only crossed for setuid/setgid programs here,
> > and we probably do not have many setuid binaries linked to libtinfo in
> > the distribution (on my system, I could not find any). So I guess you
> > probably do not want to issue a DSA here, right?
> >
> > Gentoo users have noticed a few problems after upgrading to the 20230408
> > patchlevel[1,2,3], most notably output of openrc being completely
> > broken. While we do not have that particular problem because openrc in
>
> It was already broken (the "(null)" strings come from its misuse of the
> ncurses interface, which will require fixes in OpenRC). I'm not going
> to provide a patch for OpenRC itself - any maintainer should be able to
> do _that_.
>
> Today I'll put out the fix for zero-parameter tsl, along with similar minor
> improvements, and if nothing else surfaces, use that as the basis for the
> security-patch.
I had another fix, which works fine. Except of course for programs which
> On Sat, Apr 15, 2023 at 09:05:25AM +0200, Sven Joachim wrote:
> > On 2023-04-13 20:39 +0200, Moritz Mühlenhoff wrote:
> >
> > > The following vulnerability was published for ncurses.
> > >
> > > CVE-2023-29491 was assigned to https://invisible-island.net/ncurses/NEWS.html#index-t20230408
> > >
> > > If you fix the vulnerability please also make sure to include the
> > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> > >
> > > For further information see:
> > >
> > > [0] https://security-tracker.debian.org/tracker/CVE-2023-29491
> > > https://www.cve.org/CVERecord?id=CVE-2023-29491
> >
> > Security boundaries are only crossed for setuid/setgid programs here,
> > and we probably do not have many setuid binaries linked to libtinfo in
> > the distribution (on my system, I could not find any). So I guess you
> > probably do not want to issue a DSA here, right?
> >
> > Gentoo users have noticed a few problems after upgrading to the 20230408
> > patchlevel[1,2,3], most notably output of openrc being completely
> > broken. While we do not have that particular problem because openrc in
>
> It was already broken (the "(null)" strings come from its misuse of the
> ncurses interface, which will require fixes in OpenRC). I'm not going
> to provide a patch for OpenRC itself - any maintainer should be able to
> do _that_.
>
> Today I'll put out the fix for zero-parameter tsl, along with similar minor
> improvements, and if nothing else surfaces, use that as the basis for the
> security-patch.
call tparm without actually reading from the terminal database, and don't
check error returns. I could digress...
...reflecting on all of this, the low-impact change would be to use the
--disable-root-environ configure option (possibly --disable-root-access
as well).
By the way, the issues that I've been addressing exist in other
implementations. Have a nice day.
Sven Joachim
Apr 23, 2023, 3:00:04 AM4/23/23
to
On 2023-04-18 20:15 -0400, Thomas Dickey wrote:
> On Sat, Apr 15, 2023 at 07:27:45AM -0400, Thomas Dickey wrote:
>> On Sat, Apr 15, 2023 at 09:05:25AM +0200, Sven Joachim wrote:
>> >
>> > Security boundaries are only crossed for setuid/setgid programs here,
>> > and we probably do not have many setuid binaries linked to libtinfo in
>> > the distribution (on my system, I could not find any). So I guess you
>> > probably do not want to issue a DSA here, right?
>> >
>> > Gentoo users have noticed a few problems after upgrading to the 20230408
>> > patchlevel[1,2,3], most notably output of openrc being completely
>> > broken. While we do not have that particular problem because openrc in
>>
>> It was already broken (the "(null)" strings come from its misuse of the
>> ncurses interface, which will require fixes in OpenRC). I'm not going
>> to provide a patch for OpenRC itself - any maintainer should be able to
>> do _that_.
>>
>> Today I'll put out the fix for zero-parameter tsl, along with similar minor
>> improvements, and if nothing else surfaces, use that as the basis for the
>> security-patch.
>
> I had another fix, which works fine. Except of course for programs which
> call tparm without actually reading from the terminal database, and don't
> check error returns. I could digress...
I am happy to reveal the bugs in theses non-conforming programs after
> On Sat, Apr 15, 2023 at 07:27:45AM -0400, Thomas Dickey wrote:
>> On Sat, Apr 15, 2023 at 09:05:25AM +0200, Sven Joachim wrote:
>> >
>> > Security boundaries are only crossed for setuid/setgid programs here,
>> > and we probably do not have many setuid binaries linked to libtinfo in
>> > the distribution (on my system, I could not find any). So I guess you
>> > probably do not want to issue a DSA here, right?
>> >
>> > Gentoo users have noticed a few problems after upgrading to the 20230408
>> > patchlevel[1,2,3], most notably output of openrc being completely
>> > broken. While we do not have that particular problem because openrc in
>>
>> It was already broken (the "(null)" strings come from its misuse of the
>> ncurses interface, which will require fixes in OpenRC). I'm not going
>> to provide a patch for OpenRC itself - any maintainer should be able to
>> do _that_.
>>
>> Today I'll put out the fix for zero-parameter tsl, along with similar minor
>> improvements, and if nothing else surfaces, use that as the basis for the
>> security-patch.
>
> I had another fix, which works fine. Except of course for programs which
> call tparm without actually reading from the terminal database, and don't
> check error returns. I could digress...
the bookworm release, but for now this is too intrusive. We are about
to release Debian 12 within the next two months.
> ...reflecting on all of this, the low-impact change would be to use the
> --disable-root-environ configure option (possibly --disable-root-access
> as well).
files by the superuser. This has some side effects.
- At least one package FTBFS[1] because it runs TERMINFO=… tic under
fakeroot.
- Rescue mode in the non-graphical Debian installer is broken if
ncurses-term is not installed. The installer uses an obscure terminal
emulator called bogl-bterm which sets TERM=bterm, and if that terminfo
entry is not found on the target system, it copies it to a temporary
directory and sets TERMINFO accordingly before chrooting into the
target system.
- Emacs' term.el package sets TERM=eterm-color and TERMINFO to the
directory where Emacs ships this terminfo entry. If ncurses-term is
not installed, running programs as root is broken.
- The sysadmin can no longer use private terminfo files under
/root/.terminfo and has to install those into the system database
instead, where they affect everyone. This might not always be
desired.
It is because of such issues that I had proposed a new configure option
that only restricts programs running at elevated privileges[2].
Cheers,
Sven
1. https://bugs.debian.org/1034644
2. https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00004.html
Sven Joachim
May 1, 2023, 1:10:04 PM5/1/23
to
the 20230423 patchlevel which does what I want. I had looked at
backporting this option, but as that would require changes to multiple
files, and the patches did not apply cleanly without taking some
additional changes from the previous patchlevel first, I decided on a
different route.
By removing two lines in the _nc_env_access() function, the existing
"--disable-root-environ" option becomes functionally equivalent to the
new "--disable-setuid-environ" option, allowing for a rather minimal
patch. In #1035351 I have asked for the release team's approval.
Cheers,
Sven
0 new messages