Bug#1035351: [pre-approval] unblock: ncurses/6.4-3
Control: tags -1 moreinfo confirmed
On 2023-05-01 18:32:20 +0200, Sven Joachim wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> Tags: d-i
> X-Debbugs-Cc: ncurses@packages.debian.org, debian-boot@lists.debian.org
> Control: affects -1 + src:ncurses
>
> I would like to address CVE-2023-29491[1] aka bug #1034372[2] in
> Bookworm.
Please go ahead and remove the moreinfo tag once the version is
available in unstable.
Cheers
>
> [ Reason ]
> Various memory corruption bugs exist when loading specifically crafted
> terminfo database files. This is a security problem in programs running
> with elevated privileges, as users are allowed to provide their own
> terminfo files under ${HOME}/.terminfo or via the TERMINFO or
> TERMINFO_DIRS environment variables.
>
> Backporting the upstream fixes seems to be too risky this late in the
> release process, but via a configure option it is possible to prevent
> setuid/setgid programs from loading custom terminfo files supplied by
> the user, after which the bugs are no longer security relevant.
>
> [ Impact ]
> Local users could try privilege escalations in setuid/setgid programs
> linked to the tinfo library. How easily those can be achieved probably
> depends on the program.
>
> [ Tests ]
> No automatic tests exist. I have manually verified that programs can no
> longer use custom terminfo files if their effective UID or GID differs
> from the real one. Also I have verified that the terminfo database in
> the ncurses-{base,term} packages is unchanged from 6.4-2.
>
> [ Risks ]
> Users who are relying on their own terminfo files under
> ${HOME}/.terminfo can no longer use them in setuid/setgid programs and
> will have to work around that, e.g. by changing their TERM variable,
> using a different terminal emulator or asking their sysadmin for help.
>
> On my systems I did not find any setuid binaries linked to the tinfo
> library, but some setgid games in the bsdgames package.
>
> [ Checklist ]
> [x] all changes are documented in the d/changelog
> [x] I reviewed all changes and I approve them
> [x] attach debdiff against the package in testing
>
> I have slightly edited the debdiff to exclude spurious changes to the
> debian/lib{32,64}tinfo6.symbols files, as these are just symlinks to
> libtinfo6.symbols. See devscripts bug #773762[3].
>
> [ Other info ]
> Since ncurses produces udebs, I have CC'ed debian-boot and tagged the
> bug accordingly. There should be no effect on the installer, as I would
> expect it to run all programs as root.
>
> Thanks for consideration.
>
> Cheers,
> Sven
>
>
> 1. https://security-tracker.debian.org/tracker/CVE-2023-29491
> 2. https://bugs.debian.org/1034372
> 3. https://bugs.debian.org/773762
>
> diff -Nru ncurses-6.4/debian/changelog ncurses-6.4/debian/changelog
> --- ncurses-6.4/debian/changelog 2023-01-25 21:21:49.000000000 +0100
> +++ ncurses-6.4/debian/changelog 2023-05-01 17:57:51.000000000 +0200
> @@ -1,3 +1,21 @@
> +ncurses (6.4-3) unstable; urgency=medium
> +
> + * Configure with "--disable-root-environ" to disallow loading of
> + custom terminfo entries in setuid/setgid programs, mitigating the
> + impact of CVE-2023-29491 (see #1034372).
> + - Update the symbols files for the newly exported symbol
> + _nc_env_access.
> + - New patch fix-configure-root-args-option.diff cherry-picked from
> + the 20230415 patchlevel, fixing a copy/paste error which caused
> + the "--disable-root-environ" configure option to pick up code
> + meant to be used by the "--disable-root-args" option instead.
> + - New patch debian-env-access.diff, changing the behavior of the
> + "--disable-root-environ" configure option to not restrict programs
> + run by the superuser, equivalent to the "--disable-setuid-environ"
> + option introduced in the 20230423 patchlevel.
> +
> + -- Sven Joachim <svenjoac@gmx.de> Mon, 01 May 2023 17:57:51 +0200
> +
> ncurses (6.4-2) unstable; urgency=medium
>
> * Add Breaks against vim-common (<< 2:9.0.1000-2) to ncurses-base
> diff -Nru ncurses-6.4/debian/libtinfo5.symbols ncurses-6.4/debian/libtinfo5.symbols
> --- ncurses-6.4/debian/libtinfo5.symbols 2023-01-22 17:54:52.000000000 +0100
> +++ ncurses-6.4/debian/libtinfo5.symbols 2023-05-01 11:36:38.000000000 +0200
> @@ -95,6 +95,7 @@
> _nc_curr_col@NCURSES_TINFO_5.0.19991023 6
> _nc_curr_line@NCURSES_TINFO_5.0.19991023 6
> _nc_doalloc@NCURSES_TINFO_5.0.19991023 6
> + _nc_env_access@NCURSES_TINFO_5.2.20001021 6.4-3~
> _nc_err_abort@NCURSES_TINFO_5.0.19991023 6
> _nc_fallback@NCURSES_TINFO_5.0.19991023 6
> _nc_find_entry@NCURSES_TINFO_5.0.19991023 6
> diff -Nru ncurses-6.4/debian/libtinfo6.symbols ncurses-6.4/debian/libtinfo6.symbols
> --- ncurses-6.4/debian/libtinfo6.symbols 2023-01-22 17:54:52.000000000 +0100
> +++ ncurses-6.4/debian/libtinfo6.symbols 2023-05-01 11:36:38.000000000 +0200
> @@ -94,6 +94,7 @@
> _nc_curr_col@NCURSES6_TINFO_5.0.19991023 6
> _nc_curr_line@NCURSES6_TINFO_5.0.19991023 6
> _nc_doalloc@NCURSES6_TINFO_5.0.19991023 6
> + _nc_env_access@NCURSES6_TINFO_5.2.20001021 6.4-3~
> _nc_err_abort@NCURSES6_TINFO_5.0.19991023 6
> _nc_export_termtype2@NCURSES6_TINFO_6.1.20171230 6.1
> _nc_fallback2@NCURSES6_TINFO_6.1.20171230 6.1
> diff -Nru ncurses-6.4/debian/patches/debian-env-access.diff ncurses-6.4/debian/patches/debian-env-access.diff
> --- ncurses-6.4/debian/patches/debian-env-access.diff 1970-01-01 01:00:00.000000000 +0100
> +++ ncurses-6.4/debian/patches/debian-env-access.diff 2023-05-01 11:31:44.000000000 +0200
> @@ -0,0 +1,27 @@
> +Author: Sven Joachim <svenjoac@gmx.de>
> +Description: Change the --disable-root-environ configure option behavior
> + By default, the --disable-root-environ option forbids program run by
> + the superuser to load custom terminfo entries. This patch changes
> + that to only restrict programs running with elevated privileges,
> + matching the behavior of the --disable-setuid-environ option
> + introduced in the 20230423 upstream patchlevel.
> +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034372#29
> +Bug: https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00018.html
> +Forwarded: not-needed
> +Last-Update: 2023-05-01
> +
> +---
> + ncurses/tinfo/access.c | 2 --
> + 1 file changed, 2 deletions(-)
> +
> +--- a/ncurses/tinfo/access.c
> ++++ b/ncurses/tinfo/access.c
> +@@ -215,8 +215,6 @@ _nc_env_access(void)
> +
> + if (is_elevated()) {
> + result = FALSE;
> +- } else if ((getuid() == ROOT_UID) || (geteuid() == ROOT_UID)) {
> +- result = FALSE;
> + }
> + return result;
> + }
> diff -Nru ncurses-6.4/debian/patches/fix-configure-root-args-option.diff ncurses-6.4/debian/patches/fix-configure-root-args-option.diff
> --- ncurses-6.4/debian/patches/fix-configure-root-args-option.diff 1970-01-01 01:00:00.000000000 +0100
> +++ ncurses-6.4/debian/patches/fix-configure-root-args-option.diff 2023-05-01 11:31:04.000000000 +0200
> @@ -0,0 +1,24 @@
> +Author: Sven Joachim <svenjoac@gmx.de>
> +Description: Fix copy/paste error in configure.in
> + Fix the --disable-root-access and --disableroot-environ configure
> + options. Due to a copy/paste error, the latter performs the actions
> + of the former, while the --disable-root-access option has no effect
> + at all.
> +Forwarded: https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00003.html
> +Last-Update: 2023-05-01
> +
> +---
> + configure.in | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +--- a/configure.in
> ++++ b/configure.in
> +@@ -868,7 +868,7 @@ AC_MSG_RESULT($with_root_environ)
> + test "x$with_root_environ" = xyes && AC_DEFINE(USE_ROOT_ENVIRON,1,[Define to 1 if root is allowed to use ncurses environment])
> +
> + AC_MSG_CHECKING(if you want to permit setuid programs to access all files)
> +-AC_ARG_ENABLE(root-environ,
> ++AC_ARG_ENABLE(root-access,
> + [ --disable-root-access restrict file-access when running setuid],
> + [with_root_access=$enableval],
> + [with_root_access=yes])
> diff -Nru ncurses-6.4/debian/patches/series ncurses-6.4/debian/patches/series
> --- ncurses-6.4/debian/patches/series 2023-01-22 18:31:25.000000000 +0100
> +++ ncurses-6.4/debian/patches/series 2023-05-01 11:31:44.000000000 +0200
> @@ -3,3 +3,5 @@
> 02-debian-xterm.diff
> 03-debian-ncursesconfig-omit-L.diff
> fix_crash_on_very_long_tc-use_clause.diff
> +fix-configure-root-args-option.diff
> +debian-env-access.diff
> diff -Nru ncurses-6.4/debian/rules ncurses-6.4/debian/rules
> --- ncurses-6.4/debian/rules 2023-01-22 19:46:39.000000000 +0100
> +++ ncurses-6.4/debian/rules 2023-05-01 11:36:38.000000000 +0200
> @@ -148,6 +148,7 @@
> --without-progs \
> $(with_mouse) \
> --enable-symlinks \
> + --disable-root-environ \
> --disable-termcap \
> --with-default-terminfo-dir=/etc/terminfo \
> --with-terminfo-dirs="/etc/terminfo:/lib/terminfo:/usr/share/terminfo" \
--
Sebastian Ramacher
Reply to: