Bug#1035351: [pre-approval] unblock: ncurses/6.4-3

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1035351: [pre-approval] unblock: ncurses/6.4-3
From: Sven Joachim <svenjoac@gmx.de>
Date: Mon, 01 May 2023 18:32:20 +0200
Message-id: <[🔎] 87ildcau7f.fsf@turtle.gmx.de>
Reply-to: Sven Joachim <svenjoac@gmx.de>, 1035351@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Tags: d-i
X-Debbugs-Cc: ncurses@packages.debian.org, debian-boot@lists.debian.org
Control: affects -1 + src:ncurses

I would like to address CVE-2023-29491[1] aka bug #1034372[2] in
Bookworm.

[ Reason ]
Various memory corruption bugs exist when loading specifically crafted
terminfo database files.  This is a security problem in programs running
with elevated privileges, as users are allowed to provide their own
terminfo files under ${HOME}/.terminfo or via the TERMINFO or
TERMINFO_DIRS environment variables.

Backporting the upstream fixes seems to be too risky this late in the
release process, but via a configure option it is possible to prevent
setuid/setgid programs from loading custom terminfo files supplied by
the user, after which the bugs are no longer security relevant.

[ Impact ]
Local users could try privilege escalations in setuid/setgid programs
linked to the tinfo library.  How easily those can be achieved probably
depends on the program.

[ Tests ]
No automatic tests exist.  I have manually verified that programs can no
longer use custom terminfo files if their effective UID or GID differs
from the real one.  Also I have verified that the terminfo database in
the ncurses-{base,term} packages is unchanged from 6.4-2.

[ Risks ]
Users who are relying on their own terminfo files under
${HOME}/.terminfo can no longer use them in setuid/setgid programs and
will have to work around that, e.g. by changing their TERM variable,
using a different terminal emulator or asking their sysadmin for help.

On my systems I did not find any setuid binaries linked to the tinfo
library, but some setgid games in the bsdgames package.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

I have slightly edited the debdiff to exclude spurious changes to the
debian/lib{32,64}tinfo6.symbols files, as these are just symlinks to
libtinfo6.symbols.  See devscripts bug #773762[3].

[ Other info ]
Since ncurses produces udebs, I have CC'ed debian-boot and tagged the
bug accordingly.  There should be no effect on the installer, as I would
expect it to run all programs as root.

Thanks for consideration.

Cheers,
       Sven


1. https://security-tracker.debian.org/tracker/CVE-2023-29491
2. https://bugs.debian.org/1034372
3. https://bugs.debian.org/773762

diff -Nru ncurses-6.4/debian/changelog ncurses-6.4/debian/changelog
--- ncurses-6.4/debian/changelog	2023-01-25 21:21:49.000000000 +0100
+++ ncurses-6.4/debian/changelog	2023-05-01 17:57:51.000000000 +0200
@@ -1,3 +1,21 @@
+ncurses (6.4-3) unstable; urgency=medium
+
+  * Configure with "--disable-root-environ" to disallow loading of
+    custom terminfo entries in setuid/setgid programs, mitigating the
+    impact of CVE-2023-29491 (see #1034372).
+    - Update the symbols files for the newly exported symbol
+      _nc_env_access.
+    - New patch fix-configure-root-args-option.diff cherry-picked from
+      the 20230415 patchlevel, fixing a copy/paste error which caused
+      the "--disable-root-environ" configure option to pick up code
+      meant to be used by the "--disable-root-args" option instead.
+    - New patch debian-env-access.diff, changing the behavior of the
+      "--disable-root-environ" configure option to not restrict programs
+      run by the superuser, equivalent to the "--disable-setuid-environ"
+      option introduced in the 20230423 patchlevel.
+
+ -- Sven Joachim <svenjoac@gmx.de>  Mon, 01 May 2023 17:57:51 +0200
+
 ncurses (6.4-2) unstable; urgency=medium

   * Add Breaks against vim-common (<< 2:9.0.1000-2) to ncurses-base
diff -Nru ncurses-6.4/debian/libtinfo5.symbols ncurses-6.4/debian/libtinfo5.symbols
--- ncurses-6.4/debian/libtinfo5.symbols	2023-01-22 17:54:52.000000000 +0100
+++ ncurses-6.4/debian/libtinfo5.symbols	2023-05-01 11:36:38.000000000 +0200
@@ -95,6 +95,7 @@
  _nc_curr_col@NCURSES_TINFO_5.0.19991023 6
  _nc_curr_line@NCURSES_TINFO_5.0.19991023 6
  _nc_doalloc@NCURSES_TINFO_5.0.19991023 6
+ _nc_env_access@NCURSES_TINFO_5.2.20001021 6.4-3~
  _nc_err_abort@NCURSES_TINFO_5.0.19991023 6
  _nc_fallback@NCURSES_TINFO_5.0.19991023 6
  _nc_find_entry@NCURSES_TINFO_5.0.19991023 6
diff -Nru ncurses-6.4/debian/libtinfo6.symbols ncurses-6.4/debian/libtinfo6.symbols
--- ncurses-6.4/debian/libtinfo6.symbols	2023-01-22 17:54:52.000000000 +0100
+++ ncurses-6.4/debian/libtinfo6.symbols	2023-05-01 11:36:38.000000000 +0200
@@ -94,6 +94,7 @@
  _nc_curr_col@NCURSES6_TINFO_5.0.19991023 6
  _nc_curr_line@NCURSES6_TINFO_5.0.19991023 6
  _nc_doalloc@NCURSES6_TINFO_5.0.19991023 6
+ _nc_env_access@NCURSES6_TINFO_5.2.20001021 6.4-3~
  _nc_err_abort@NCURSES6_TINFO_5.0.19991023 6
  _nc_export_termtype2@NCURSES6_TINFO_6.1.20171230 6.1
  _nc_fallback2@NCURSES6_TINFO_6.1.20171230 6.1
diff -Nru ncurses-6.4/debian/patches/debian-env-access.diff ncurses-6.4/debian/patches/debian-env-access.diff
--- ncurses-6.4/debian/patches/debian-env-access.diff	1970-01-01 01:00:00.000000000 +0100
+++ ncurses-6.4/debian/patches/debian-env-access.diff	2023-05-01 11:31:44.000000000 +0200
@@ -0,0 +1,27 @@
+Author: Sven Joachim <svenjoac@gmx.de>
+Description: Change the --disable-root-environ configure option behavior
+ By default, the --disable-root-environ option forbids program run by
+ the superuser to load custom terminfo entries.  This patch changes
+ that to only restrict programs running with elevated privileges,
+ matching the behavior of the --disable-setuid-environ option
+ introduced in the 20230423 upstream patchlevel.
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034372#29
+Bug: https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00018.html
+Forwarded: not-needed
+Last-Update: 2023-05-01
+
+---
+ ncurses/tinfo/access.c |    2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/ncurses/tinfo/access.c
++++ b/ncurses/tinfo/access.c
+@@ -215,8 +215,6 @@ _nc_env_access(void)
+
+     if (is_elevated()) {
+ 	result = FALSE;
+-    } else if ((getuid() == ROOT_UID) || (geteuid() == ROOT_UID)) {
+-	result = FALSE;
+     }
+     return result;
+ }
diff -Nru ncurses-6.4/debian/patches/fix-configure-root-args-option.diff ncurses-6.4/debian/patches/fix-configure-root-args-option.diff
--- ncurses-6.4/debian/patches/fix-configure-root-args-option.diff	1970-01-01 01:00:00.000000000 +0100
+++ ncurses-6.4/debian/patches/fix-configure-root-args-option.diff	2023-05-01 11:31:04.000000000 +0200
@@ -0,0 +1,24 @@
+Author: Sven Joachim <svenjoac@gmx.de>
+Description: Fix copy/paste error in configure.in
+ Fix the --disable-root-access and --disableroot-environ configure
+ options.  Due to a copy/paste error, the latter performs the actions
+ of the former, while the --disable-root-access option has no effect
+ at all.
+Forwarded: https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00003.html
+Last-Update: 2023-05-01
+
+---
+ configure.in |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/configure.in
++++ b/configure.in
+@@ -868,7 +868,7 @@ AC_MSG_RESULT($with_root_environ)
+ test "x$with_root_environ" = xyes && AC_DEFINE(USE_ROOT_ENVIRON,1,[Define to 1 if root is allowed to use ncurses environment])
+
+ AC_MSG_CHECKING(if you want to permit setuid programs to access all files)
+-AC_ARG_ENABLE(root-environ,
++AC_ARG_ENABLE(root-access,
+ 	[  --disable-root-access   restrict file-access when running setuid],
+ 	[with_root_access=$enableval],
+ 	[with_root_access=yes])
diff -Nru ncurses-6.4/debian/patches/series ncurses-6.4/debian/patches/series
--- ncurses-6.4/debian/patches/series	2023-01-22 18:31:25.000000000 +0100
+++ ncurses-6.4/debian/patches/series	2023-05-01 11:31:44.000000000 +0200
@@ -3,3 +3,5 @@
 02-debian-xterm.diff
 03-debian-ncursesconfig-omit-L.diff
 fix_crash_on_very_long_tc-use_clause.diff
+fix-configure-root-args-option.diff
+debian-env-access.diff
diff -Nru ncurses-6.4/debian/rules ncurses-6.4/debian/rules
--- ncurses-6.4/debian/rules	2023-01-22 19:46:39.000000000 +0100
+++ ncurses-6.4/debian/rules	2023-05-01 11:36:38.000000000 +0200
@@ -148,6 +148,7 @@
 		--without-progs \
 		$(with_mouse) \
 		--enable-symlinks \
+		--disable-root-environ \
 		--disable-termcap \
 		--with-default-terminfo-dir=/etc/terminfo \
 		--with-terminfo-dirs="/etc/terminfo:/lib/terminfo:/usr/share/terminfo" \

Reply to:

Follow-Ups:
- Re: Bug#1035351: [pre-approval] unblock: ncurses/6.4-3
  - From: Cyril Brulebois <kibi@debian.org>

Prev by Date: Processed: Re: Bug#1035014: installation-reports: Graphical installer has Xorg "no screens found" error
Next by Date: Bug#1035349: regression: 'hostname' preseed alias for netcfg/get_hostname takes precedence over DHCP hostname
Previous by thread: Re: Bug#1035014: installation-reports: Graphical installer has Xorg "no screens found" error
Next by thread: Re: Bug#1035351: [pre-approval] unblock: ncurses/6.4-3
Index(es):
- Date
- Thread