[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Is there a small patch to fix the CVE-2023-29491?
From: |
Thomas Dickey |
Subject: |
Re: Is there a small patch to fix the CVE-2023-29491? |
Date: |
Wed, 19 Apr 2023 04:12:39 -0400 |
On Wed, Apr 19, 2023 at 06:18:14AM +0000, wanghaitao (G) via Bug reports for
ncurses, the GNU implementation of curses wrote:
> Dear Thomas Dickey,
>
> May I ask if there is a small patch specifically for fixing CVE-2023-29491?
hmm: "small patch" would be 1-2 lines. The code changes that I've made
can be extracted with a text editor in a few minutes, but (see below)
the CVE itself is best addressed by a longstanding configure option.
This is from a diff that I made against ncurses 6.4
(6.3 is a little more work):
include/nc_tparm.h | 1
ncurses/tinfo/lib_tgoto.c | 12 +++
ncurses/tinfo/lib_tparm.c | 150 ++++++++++++++++++++++++++++++++++++++++-----
ncurses/tinfo/read_entry.c | 3
progs/tic.c | 6 +
progs/tparm_type.c | 9 ++
progs/tparm_type.h | 2
progs/tput.c | 57 +++++++++++++++--
8 files changed, 219 insertions(+), 21 deletions(-)
> I found that you fixed this CVE in this patch you released on April 8th, but
> this patch contains other modifications as well.
> http://ncurses.scripts.mit.edu/?p=ncurses.git;a=commit;h=eb51b1ea1f75a0ec17c9c5937cb28df1e8eeec56
no... I'm pretty clear that I'm addressing the issues in the original report:
https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00007.html
Deciding what's appropriate for responding to a CVE is actually an issue
for packagers. In adding the original _issues_, I find that more than
one application using ncurses relies upon abusing the documented interfaces.
That tends to make (some) packagers uncomfortable, and look for just a
quick, non-intrusive fix.
> And I found the ncurses doesn't have a git repo, which means I can't find the
> commit that only fix this CVE.
I've read that comment more than one place, but as you can see by reading
discussion here, will realize that it is untrue:
https://lists.gnu.org/archive/html/bug-ncurses/2018-01/msg00054.html
but seriously, if you're unable to deal with patch/diffs, none of that helps.
There's no single commit for you to use, in any case: development doesn't
_work_ that way.
To address the CVE itself, read what it says:
https://nvd.nist.gov/vuln/detail/CVE-2023-29491
ncurses before 6.4 20230408, when used by a setuid application, allows
local users to trigger security-relevant memory corruption via
malformed data in a terminfo database file that is found in
$HOME/.terminfo or reached via the TERMINFO or TERM environment
variable.
so... to address that, disable the environment variables when running
in a setuid application. I added the configure option for that in 2000:
https://invisible-island.net/ncurses/NEWS.html#t20001007
+ add configure option --disable-root-environ, which tells ncurses to
disregard $TERMINFO and similar environment variables if the current
user is root, or running setuid/setgid (based on discussion with
several people).
The configure script's help-message is terse, but the INSTALL file in the
sources gives this information:
https://invisible-island.net/ncurses/INSTALL.html#option:disable-root-environ
--disable-root-environ
Compile with environment restriction, so certain environment variables
are not available when running as root, or via a setuid/setgid
application. These are (for example $TERMINFO) those that allow the
search path for the terminfo or termcap entry to be customized.
> A patch contains docs and miscellaneous changes will make our maintenance
> work difficult. I found that the oss-security community has also noticed this
> issue too.
> https://seclists.org/oss-sec/2023/q2/23
>
> So could you please provide a patch that only fixes this CVE? If so, I would
> be very grateful.
>
> Best regards,
>
> Wang Haitao
>
>
--
Thomas E. Dickey <dickey@invisible-island.net>
https://invisible-island.net
signature.asc
Description: PGP signature