Bug#1035351: [pre-approval] unblock: ncurses/6.4-3

To: Sven Joachim <svenjoac@gmx.de>, 1035351@bugs.debian.org
Subject: Bug#1035351: [pre-approval] unblock: ncurses/6.4-3
From: Sebastian Ramacher <sramacher@debian.org>
Date: Sat, 6 May 2023 14:46:25 +0200
Message-id: <[🔎] ZFZMIfaRtMHX1cYv@ramacher.at>
Reply-to: Sebastian Ramacher <sramacher@debian.org>, 1035351@bugs.debian.org
In-reply-to: <[🔎] 87ildcau7f.fsf@turtle.gmx.de>
References: <[🔎] 87ildcau7f.fsf@turtle.gmx.de> <[🔎] 87ildcau7f.fsf@turtle.gmx.de>
Control: tags -1 moreinfo confirmed

On 2023-05-01 18:32:20 +0200, Sven Joachim wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> Tags: d-i
> X-Debbugs-Cc: ncurses@packages.debian.org, debian-boot@lists.debian.org
> Control: affects -1 + src:ncurses
> 
> I would like to address CVE-2023-29491[1] aka bug #1034372[2] in
> Bookworm.

Please go ahead and remove the moreinfo tag once the version is
available in unstable.

Cheers

> 
> [ Reason ]
> Various memory corruption bugs exist when loading specifically crafted
> terminfo database files.  This is a security problem in programs running
> with elevated privileges, as users are allowed to provide their own
> terminfo files under ${HOME}/.terminfo or via the TERMINFO or
> TERMINFO_DIRS environment variables.
> 
> Backporting the upstream fixes seems to be too risky this late in the
> release process, but via a configure option it is possible to prevent
> setuid/setgid programs from loading custom terminfo files supplied by
> the user, after which the bugs are no longer security relevant.
> 
> [ Impact ]
> Local users could try privilege escalations in setuid/setgid programs
> linked to the tinfo library.  How easily those can be achieved probably
> depends on the program.
> 
> [ Tests ]
> No automatic tests exist.  I have manually verified that programs can no
> longer use custom terminfo files if their effective UID or GID differs
> from the real one.  Also I have verified that the terminfo database in
> the ncurses-{base,term} packages is unchanged from 6.4-2.
> 
> [ Risks ]
> Users who are relying on their own terminfo files under
> ${HOME}/.terminfo can no longer use them in setuid/setgid programs and
> will have to work around that, e.g. by changing their TERM variable,
> using a different terminal emulator or asking their sysadmin for help.
> 
> On my systems I did not find any setuid binaries linked to the tinfo
> library, but some setgid games in the bsdgames package.
> 
> [ Checklist ]
>   [x] all changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in testing
> 
> I have slightly edited the debdiff to exclude spurious changes to the
> debian/lib{32,64}tinfo6.symbols files, as these are just symlinks to
> libtinfo6.symbols.  See devscripts bug #773762[3].
> 
> [ Other info ]
> Since ncurses produces udebs, I have CC'ed debian-boot and tagged the
> bug accordingly.  There should be no effect on the installer, as I would
> expect it to run all programs as root.
> 
> Thanks for consideration.
> 
> Cheers,
>        Sven
> 
> 
> 1. https://security-tracker.debian.org/tracker/CVE-2023-29491
> 2. https://bugs.debian.org/1034372
> 3. https://bugs.debian.org/773762
> 

> diff -Nru ncurses-6.4/debian/changelog ncurses-6.4/debian/changelog
> --- ncurses-6.4/debian/changelog	2023-01-25 21:21:49.000000000 +0100
> +++ ncurses-6.4/debian/changelog	2023-05-01 17:57:51.000000000 +0200
> @@ -1,3 +1,21 @@
> +ncurses (6.4-3) unstable; urgency=medium
> +
> +  * Configure with "--disable-root-environ" to disallow loading of
> +    custom terminfo entries in setuid/setgid programs, mitigating the
> +    impact of CVE-2023-29491 (see #1034372).
> +    - Update the symbols files for the newly exported symbol
> +      _nc_env_access.
> +    - New patch fix-configure-root-args-option.diff cherry-picked from
> +      the 20230415 patchlevel, fixing a copy/paste error which caused
> +      the "--disable-root-environ" configure option to pick up code
> +      meant to be used by the "--disable-root-args" option instead.
> +    - New patch debian-env-access.diff, changing the behavior of the
> +      "--disable-root-environ" configure option to not restrict programs
> +      run by the superuser, equivalent to the "--disable-setuid-environ"
> +      option introduced in the 20230423 patchlevel.
> +
> + -- Sven Joachim <svenjoac@gmx.de>  Mon, 01 May 2023 17:57:51 +0200
> +
>  ncurses (6.4-2) unstable; urgency=medium
> 
>    * Add Breaks against vim-common (<< 2:9.0.1000-2) to ncurses-base
> diff -Nru ncurses-6.4/debian/libtinfo5.symbols ncurses-6.4/debian/libtinfo5.symbols
> --- ncurses-6.4/debian/libtinfo5.symbols	2023-01-22 17:54:52.000000000 +0100
> +++ ncurses-6.4/debian/libtinfo5.symbols	2023-05-01 11:36:38.000000000 +0200
> @@ -95,6 +95,7 @@
>   _nc_curr_col@NCURSES_TINFO_5.0.19991023 6
>   _nc_curr_line@NCURSES_TINFO_5.0.19991023 6
>   _nc_doalloc@NCURSES_TINFO_5.0.19991023 6
> + _nc_env_access@NCURSES_TINFO_5.2.20001021 6.4-3~
>   _nc_err_abort@NCURSES_TINFO_5.0.19991023 6
>   _nc_fallback@NCURSES_TINFO_5.0.19991023 6
>   _nc_find_entry@NCURSES_TINFO_5.0.19991023 6
> diff -Nru ncurses-6.4/debian/libtinfo6.symbols ncurses-6.4/debian/libtinfo6.symbols
> --- ncurses-6.4/debian/libtinfo6.symbols	2023-01-22 17:54:52.000000000 +0100
> +++ ncurses-6.4/debian/libtinfo6.symbols	2023-05-01 11:36:38.000000000 +0200
> @@ -94,6 +94,7 @@
>   _nc_curr_col@NCURSES6_TINFO_5.0.19991023 6
>   _nc_curr_line@NCURSES6_TINFO_5.0.19991023 6
>   _nc_doalloc@NCURSES6_TINFO_5.0.19991023 6
> + _nc_env_access@NCURSES6_TINFO_5.2.20001021 6.4-3~
>   _nc_err_abort@NCURSES6_TINFO_5.0.19991023 6
>   _nc_export_termtype2@NCURSES6_TINFO_6.1.20171230 6.1
>   _nc_fallback2@NCURSES6_TINFO_6.1.20171230 6.1
> diff -Nru ncurses-6.4/debian/patches/debian-env-access.diff ncurses-6.4/debian/patches/debian-env-access.diff
> --- ncurses-6.4/debian/patches/debian-env-access.diff	1970-01-01 01:00:00.000000000 +0100
> +++ ncurses-6.4/debian/patches/debian-env-access.diff	2023-05-01 11:31:44.000000000 +0200
> @@ -0,0 +1,27 @@
> +Author: Sven Joachim <svenjoac@gmx.de>
> +Description: Change the --disable-root-environ configure option behavior
> + By default, the --disable-root-environ option forbids program run by
> + the superuser to load custom terminfo entries.  This patch changes
> + that to only restrict programs running with elevated privileges,
> + matching the behavior of the --disable-setuid-environ option
> + introduced in the 20230423 upstream patchlevel.
> +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034372#29
> +Bug: https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00018.html
> +Forwarded: not-needed
> +Last-Update: 2023-05-01
> +
> +---
> + ncurses/tinfo/access.c |    2 --
> + 1 file changed, 2 deletions(-)
> +
> +--- a/ncurses/tinfo/access.c
> ++++ b/ncurses/tinfo/access.c
> +@@ -215,8 +215,6 @@ _nc_env_access(void)
> +
> +     if (is_elevated()) {
> + 	result = FALSE;
> +-    } else if ((getuid() == ROOT_UID) || (geteuid() == ROOT_UID)) {
> +-	result = FALSE;
> +     }
> +     return result;
> + }
> diff -Nru ncurses-6.4/debian/patches/fix-configure-root-args-option.diff ncurses-6.4/debian/patches/fix-configure-root-args-option.diff
> --- ncurses-6.4/debian/patches/fix-configure-root-args-option.diff	1970-01-01 01:00:00.000000000 +0100
> +++ ncurses-6.4/debian/patches/fix-configure-root-args-option.diff	2023-05-01 11:31:04.000000000 +0200
> @@ -0,0 +1,24 @@
> +Author: Sven Joachim <svenjoac@gmx.de>
> +Description: Fix copy/paste error in configure.in
> + Fix the --disable-root-access and --disableroot-environ configure
> + options.  Due to a copy/paste error, the latter performs the actions
> + of the former, while the --disable-root-access option has no effect
> + at all.
> +Forwarded: https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00003.html
> +Last-Update: 2023-05-01
> +
> +---
> + configure.in |    2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +--- a/configure.in
> ++++ b/configure.in
> +@@ -868,7 +868,7 @@ AC_MSG_RESULT($with_root_environ)
> + test "x$with_root_environ" = xyes && AC_DEFINE(USE_ROOT_ENVIRON,1,[Define to 1 if root is allowed to use ncurses environment])
> +
> + AC_MSG_CHECKING(if you want to permit setuid programs to access all files)
> +-AC_ARG_ENABLE(root-environ,
> ++AC_ARG_ENABLE(root-access,
> + 	[  --disable-root-access   restrict file-access when running setuid],
> + 	[with_root_access=$enableval],
> + 	[with_root_access=yes])
> diff -Nru ncurses-6.4/debian/patches/series ncurses-6.4/debian/patches/series
> --- ncurses-6.4/debian/patches/series	2023-01-22 18:31:25.000000000 +0100
> +++ ncurses-6.4/debian/patches/series	2023-05-01 11:31:44.000000000 +0200
> @@ -3,3 +3,5 @@
>  02-debian-xterm.diff
>  03-debian-ncursesconfig-omit-L.diff
>  fix_crash_on_very_long_tc-use_clause.diff
> +fix-configure-root-args-option.diff
> +debian-env-access.diff
> diff -Nru ncurses-6.4/debian/rules ncurses-6.4/debian/rules
> --- ncurses-6.4/debian/rules	2023-01-22 19:46:39.000000000 +0100
> +++ ncurses-6.4/debian/rules	2023-05-01 11:36:38.000000000 +0200
> @@ -148,6 +148,7 @@
>  		--without-progs \
>  		$(with_mouse) \
>  		--enable-symlinks \
> +		--disable-root-environ \
>  		--disable-termcap \
>  		--with-default-terminfo-dir=/etc/terminfo \
>  		--with-terminfo-dirs="/etc/terminfo:/lib/terminfo:/usr/share/terminfo" \


-- 
Sebastian Ramacher
Reply to:
References:
- Bug#1035351: [pre-approval] unblock: ncurses/6.4-3
  - From: Sven Joachim <svenjoac@gmx.de>
Prev by Date: Bug#1035564: marked as done (unblock: lxd/5.0.2-5)
Next by Date: Bug#1035512: marked as done (unblock: fvwm/1:2.7.0-2)
Previous by thread: Bug#1035351: [pre-approval] unblock: ncurses/6.4-3
Next by thread: Processed: Re: Bug#1035351: [pre-approval] unblock: ncurses/6.4-3
Index(es):
- Date
- Thread