Package: release.debian.org
Severity: normal
Tags: bullseye d-i
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: ncurses@packages.debian.org, debian-boot@lists.debian.org
Control: affects -1 + src:ncurses
I would like to address CVE-2023-29491[1] aka bug #1034372[2] in
Bullseye. The changes are the same as in version 6.4-3 (see
#1035351[3]), except that there is no need to patch configure.in this
time.
[ Reason ]
Various memory corruption bugs exist when loading specifically crafted
terminfo database files. This is a security problem in programs running
with elevated privileges, as users are allowed to provide their own
terminfo files under ${HOME}/.terminfo or via the TERMINFO or
TERMINFO_DIRS environment variables.
Backporting the upstream fixes would be too intrusive (and has not been
attempted in Bookworm either), but via a configure option it is possible
to prevent setuid/setgid programs from loading custom terminfo files
supplied by the user, after which the bugs are no longer security
relevant.
[ Impact ]
Local users could try privilege escalations in setuid/setgid programs
linked to the tinfo library. How easily those can be achieved probably
depends on the program.
[ Tests ]
No automatic tests exist. I have manually verified that programs can no
longer use custom terminfo files if their effective UID or GID differs
from the real one. Also I have verified that the terminfo database in
the ncurses-{base,term} packages is unchanged from 6.2+20201114-2+deb11u2.
[ Risks ]
Users who are relying on their own terminfo files under
${HOME}/.terminfo can no longer use them in setuid/setgid programs and
will have to work around that, e.g. by changing their TERM environment
variable, using a different terminal emulator or asking their sysadmin
for help.
On my systems I did not find any setuid binaries linked to the tinfo
library, but some setgid games in the bsdgames package.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
I have slightly edited the debdiff to exclude spurious changes to the
debian/lib{32,64}tinfo6.symbols files, as these are just symlinks to
libtinfo6.symbols. See devscripts bug #773762[4].
[ Other info ]
Since ncurses produces a udeb I have CC'ed debian-boot and tagged the
bug accordingly. The screen binary in the screen-udeb package is
actually affected by the change, as it is installed setgid utmp. This
should not really matter though, since the terminfo files in the
di-utils-terminfo package are installed in the standard place under
/lib/terminfo.
Thanks for consideration.
Cheers,
Sven
1. https://security-tracker.debian.org/tracker/CVE-2023-29491
2. https://bugs.debian.org/1034372
3. https://bugs.debian.org/1035351
4. https://bugs.debian.org/773762
diff -Nru ncurses-6.2+20201114/debian/changelog ncurses-6.2+20201114/debian/changelog --- ncurses-6.2+20201114/debian/changelog 2023-02-08 20:16:03.000000000 +0100 +++ ncurses-6.2+20201114/debian/changelog 2023-05-26 20:31:08.000000000 +0200 @@ -1,3 +1,17 @@ +ncurses (6.2+20201114-2+deb11u2) bullseye; urgency=medium + + * Configure with "--disable-root-environ" to disallow loading of + custom terminfo entries in setuid/setgid programs, mitigating the + impact of CVE-2023-29491 (see #1034372). + - Update the symbols files for the newly exported symbol + _nc_env_access. + - New patch debian-env-access.diff, changing the behavior of the + "--disable-root-environ" configure option to not restrict programs + run by the superuser, equivalent to the "--disable-setuid-environ" + option introduced in the 20230423 patchlevel. + + -- Sven Joachim <svenjoac@gmx.de> Fri, 26 May 2023 20:31:08 +0200 + ncurses (6.2+20201114-2+deb11u1) bullseye; urgency=medium * New patch CVE-2022-29458.diff: add a limit-check to guard against diff -Nru ncurses-6.2+20201114/debian/libtinfo5.symbols ncurses-6.2+20201114/debian/libtinfo5.symbols --- ncurses-6.2+20201114/debian/libtinfo5.symbols 2021-01-01 10:31:15.000000000 +0100 +++ ncurses-6.2+20201114/debian/libtinfo5.symbols 2023-05-26 19:46:17.000000000 +0200 @@ -95,6 +95,7 @@ _nc_curr_col@NCURSES_TINFO_5.0.19991023 6 _nc_curr_line@NCURSES_TINFO_5.0.19991023 6 _nc_doalloc@NCURSES_TINFO_5.0.19991023 6 + _nc_env_access@NCURSES_TINFO_5.2.20001021 6.2+20201114-2+deb11u2~ _nc_err_abort@NCURSES_TINFO_5.0.19991023 6 _nc_fallback@NCURSES_TINFO_5.0.19991023 6 _nc_find_entry@NCURSES_TINFO_5.0.19991023 6 diff -Nru ncurses-6.2+20201114/debian/libtinfo6.symbols ncurses-6.2+20201114/debian/libtinfo6.symbols --- ncurses-6.2+20201114/debian/libtinfo6.symbols 2021-01-01 10:31:15.000000000 +0100 +++ ncurses-6.2+20201114/debian/libtinfo6.symbols 2023-05-26 19:46:17.000000000 +0200 @@ -94,6 +94,7 @@ _nc_curr_col@NCURSES6_TINFO_5.0.19991023 6 _nc_curr_line@NCURSES6_TINFO_5.0.19991023 6 _nc_doalloc@NCURSES6_TINFO_5.0.19991023 6 + _nc_env_access@NCURSES6_TINFO_5.2.20001021 6.2+20201114-2+deb11u2~ _nc_err_abort@NCURSES6_TINFO_5.0.19991023 6 _nc_export_termtype2@NCURSES6_TINFO_6.1.20171230 6.1 _nc_fallback2@NCURSES6_TINFO_6.1.20171230 6.1 diff -Nru ncurses-6.2+20201114/debian/patches/debian-env-access.diff ncurses-6.2+20201114/debian/patches/debian-env-access.diff --- ncurses-6.2+20201114/debian/patches/debian-env-access.diff 1970-01-01 01:00:00.000000000 +0100 +++ ncurses-6.2+20201114/debian/patches/debian-env-access.diff 2023-05-26 19:45:39.000000000 +0200 @@ -0,0 +1,27 @@ +Author: Sven Joachim <svenjoac@gmx.de> +Description: Change the --disable-root-environ configure option behavior + By default, the --disable-root-environ option forbids program run by + the superuser to load custom terminfo entries. This patch changes + that to only restrict programs running with elevated privileges, + matching the behavior of the --disable-setuid-environ option + introduced in the 20230423 upstream patchlevel. +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034372#29 +Bug: https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00018.html +Forwarded: not-needed +Last-Update: 2023-05-26 + +--- + ncurses/tinfo/access.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/ncurses/tinfo/access.c ++++ b/ncurses/tinfo/access.c +@@ -185,7 +185,6 @@ _nc_env_access(void) + || getgid() != getegid()) + return FALSE; + #endif +- /* ...finally, disallow root */ +- return (getuid() != ROOT_UID) && (geteuid() != ROOT_UID); ++ return TRUE; + } + #endif diff -Nru ncurses-6.2+20201114/debian/patches/series ncurses-6.2+20201114/debian/patches/series --- ncurses-6.2+20201114/debian/patches/series 2023-01-28 12:16:18.000000000 +0100 +++ ncurses-6.2+20201114/debian/patches/series 2023-05-26 19:45:13.000000000 +0200 @@ -6,3 +6,4 @@ 03-debian-ncursesconfig-omit-L.diff CVE-2022-29458.diff fix_crash_on_very_long_tc-use_clause.diff +debian-env-access.diff diff -Nru ncurses-6.2+20201114/debian/rules ncurses-6.2+20201114/debian/rules --- ncurses-6.2+20201114/debian/rules 2021-01-01 10:31:15.000000000 +0100 +++ ncurses-6.2+20201114/debian/rules 2023-05-26 19:46:17.000000000 +0200 @@ -141,6 +141,7 @@ --without-progs \ $(with_mouse) \ --enable-symlinks \ + --disable-root-environ \ --disable-termcap \ --with-default-terminfo-dir=/etc/terminfo \ --with-terminfo-dirs="/etc/terminfo:/lib/terminfo:/usr/share/terminfo" \
Attachment:
signature.asc
Description: PGP signature