* [PATCH] ncurses: Mitigate CVE-2023-29491
@ 2023-10-09 16:31 Marek Vasut
2023-10-09 16:44 ` Richard Purdie
0 siblings, 1 reply; 8+ messages in thread
From: Marek Vasut @ 2023-10-09 16:31 UTC (permalink / raw)
To: steve, openembedded-core; +Cc: Marek Vasut, Alexandre Belloni, Richard Purdie
Configure with "--disable-root-environ" to disallow loading of
custom terminfo entries in setuid/setgid programs, mitigating the
impact of CVE-2023-29491.
This is taken from debian:
https://salsa.debian.org/debian/ncurses/-/commit/1c530aad772f7aeef039b8780d51cd09bd5a08ac
Signed-off-by: Marek Vasut <marex@denx.de>
---
Cc: Alexandre Belloni <alexandre.belloni@bootlin.com>
Cc: Richard Purdie <richard.purdie@linuxfoundation.org>
---
meta/recipes-core/ncurses/ncurses.inc | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-core/ncurses/ncurses.inc b/meta/recipes-core/ncurses/ncurses.inc
index 367f3b19f4..1bc07ec2d4 100644
--- a/meta/recipes-core/ncurses/ncurses.inc
+++ b/meta/recipes-core/ncurses/ncurses.inc
@@ -87,6 +87,7 @@ ncurses_configure() {
--enable-sigwinch \
--enable-pc-files \
--disable-rpath-hack \
+ --disable-root-environ \
${EXCONFIG_ARGS} \
--with-manpage-format=normal \
--without-manpage-renames \
--
2.40.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH] ncurses: Mitigate CVE-2023-29491
2023-10-09 16:31 [PATCH] ncurses: Mitigate CVE-2023-29491 Marek Vasut
@ 2023-10-09 16:44 ` Richard Purdie
2023-10-09 16:51 ` [OE-core] " Marko, Peter
2023-10-09 19:30 ` Marek Vasut
0 siblings, 2 replies; 8+ messages in thread
From: Richard Purdie @ 2023-10-09 16:44 UTC (permalink / raw)
To: Marek Vasut, steve, openembedded-core; +Cc: Alexandre Belloni
On Mon, 2023-10-09 at 18:31 +0200, Marek Vasut wrote:
> Configure with "--disable-root-environ" to disallow loading of
> custom terminfo entries in setuid/setgid programs, mitigating the
> impact of CVE-2023-29491.
>
> This is taken from debian:
> https://salsa.debian.org/debian/ncurses/-/commit/1c530aad772f7aeef039b8780d51cd09bd5a08ac
>
> Signed-off-by: Marek Vasut <marex@denx.de>
> ---
> Cc: Alexandre Belloni <alexandre.belloni@bootlin.com>
> Cc: Richard Purdie <richard.purdie@linuxfoundation.org>
> ---
> meta/recipes-core/ncurses/ncurses.inc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/meta/recipes-core/ncurses/ncurses.inc b/meta/recipes-core/ncurses/ncurses.inc
> index 367f3b19f4..1bc07ec2d4 100644
> --- a/meta/recipes-core/ncurses/ncurses.inc
> +++ b/meta/recipes-core/ncurses/ncurses.inc
> @@ -87,6 +87,7 @@ ncurses_configure() {
> --enable-sigwinch \
> --enable-pc-files \
> --disable-rpath-hack \
> + --disable-root-environ \
> ${EXCONFIG_ARGS} \
> --with-manpage-format=normal \
> --without-manpage-renames \
Should the patch add a CVE_STATUS entry as well so the cve tooling can
tell we've mitigated this?
Cheers,
Richard
^ permalink raw reply [flat|nested] 8+ messages in thread
* RE: [OE-core] [PATCH] ncurses: Mitigate CVE-2023-29491
2023-10-09 16:44 ` Richard Purdie
@ 2023-10-09 16:51 ` Marko, Peter
2023-10-09 16:56 ` Marek Vasut
2023-10-09 19:30 ` Marek Vasut
1 sibling, 1 reply; 8+ messages in thread
From: Marko, Peter @ 2023-10-09 16:51 UTC (permalink / raw)
To: richard.purdie@linuxfoundation.org, Marek Vasut
Cc: Alexandre Belloni, steve@sakoman.com,
openembedded-core@lists.openembedded.org
-----Original Message-----
From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Richard Purdie via lists.openembedded.org
Sent: Monday, October 9, 2023 18:44
To: Marek Vasut <marex@denx.de>; steve@sakoman.com; openembedded-core@lists.openembedded.org
Cc: Alexandre Belloni <alexandre.belloni@bootlin.com>
Subject: Re: [OE-core] [PATCH] ncurses: Mitigate CVE-2023-29491
> On Mon, 2023-10-09 at 18:31 +0200, Marek Vasut wrote:
> > Configure with "--disable-root-environ" to disallow loading of custom
> > terminfo entries in setuid/setgid programs, mitigating the impact of
> > CVE-2023-29491.
> >
> > This is taken from debian:
> > https://salsa.debian.org/debian/ncurses/-/commit/1c530aad772f7aeef039b
> > 8780d51cd09bd5a08ac
> >
> > Signed-off-by: Marek Vasut <marex@denx.de>
> > ---
> > Cc: Alexandre Belloni <alexandre.belloni@bootlin.com>
> > Cc: Richard Purdie <richard.purdie@linuxfoundation.org>
> > ---
> > meta/recipes-core/ncurses/ncurses.inc | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/meta/recipes-core/ncurses/ncurses.inc
> > b/meta/recipes-core/ncurses/ncurses.inc
> > index 367f3b19f4..1bc07ec2d4 100644
> > --- a/meta/recipes-core/ncurses/ncurses.inc
> > +++ b/meta/recipes-core/ncurses/ncurses.inc
> > @@ -87,6 +87,7 @@ ncurses_configure() {
> > --enable-sigwinch \
> > --enable-pc-files \
> > --disable-rpath-hack \
> > + --disable-root-environ \
> > ${EXCONFIG_ARGS} \
> > --with-manpage-format=normal \
> > --without-manpage-renames \
>
> Should the patch add a CVE_STATUS entry as well so the cve tooling can tell we've mitigated this?
ncurses 6.4 is not affected and not shown in CVE report, not sure why this is submitted for master.
Peter
>
> Cheers,
>
> Richard
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [OE-core] [PATCH] ncurses: Mitigate CVE-2023-29491
2023-10-09 16:51 ` [OE-core] " Marko, Peter
@ 2023-10-09 16:56 ` Marek Vasut
2023-10-09 17:27 ` Marko, Peter
0 siblings, 1 reply; 8+ messages in thread
From: Marek Vasut @ 2023-10-09 16:56 UTC (permalink / raw)
To: Marko, Peter, richard.purdie@linuxfoundation.org
Cc: Alexandre Belloni, steve@sakoman.com,
openembedded-core@lists.openembedded.org
On 10/9/23 18:51, Marko, Peter wrote:
> -----Original Message-----
> From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Richard Purdie via lists.openembedded.org
> Sent: Monday, October 9, 2023 18:44
> To: Marek Vasut <marex@denx.de>; steve@sakoman.com; openembedded-core@lists.openembedded.org
> Cc: Alexandre Belloni <alexandre.belloni@bootlin.com>
> Subject: Re: [OE-core] [PATCH] ncurses: Mitigate CVE-2023-29491
>
>> On Mon, 2023-10-09 at 18:31 +0200, Marek Vasut wrote:
>>> Configure with "--disable-root-environ" to disallow loading of custom
>>> terminfo entries in setuid/setgid programs, mitigating the impact of
>>> CVE-2023-29491.
>>>
>>> This is taken from debian:
>>> https://salsa.debian.org/debian/ncurses/-/commit/1c530aad772f7aeef039b
>>> 8780d51cd09bd5a08ac
>>>
>>> Signed-off-by: Marek Vasut <marex@denx.de>
>>> ---
>>> Cc: Alexandre Belloni <alexandre.belloni@bootlin.com>
>>> Cc: Richard Purdie <richard.purdie@linuxfoundation.org>
>>> ---
>>> meta/recipes-core/ncurses/ncurses.inc | 1 +
>>> 1 file changed, 1 insertion(+)
>>>
>>> diff --git a/meta/recipes-core/ncurses/ncurses.inc
>>> b/meta/recipes-core/ncurses/ncurses.inc
>>> index 367f3b19f4..1bc07ec2d4 100644
>>> --- a/meta/recipes-core/ncurses/ncurses.inc
>>> +++ b/meta/recipes-core/ncurses/ncurses.inc
>>> @@ -87,6 +87,7 @@ ncurses_configure() {
>>> --enable-sigwinch \
>>> --enable-pc-files \
>>> --disable-rpath-hack \
>>> + --disable-root-environ \
>>> ${EXCONFIG_ARGS} \
>>> --with-manpage-format=normal \
>>> --without-manpage-renames \
>>
>> Should the patch add a CVE_STATUS entry as well so the cve tooling can tell we've mitigated this?
>
> ncurses 6.4 is not affected and not shown in CVE report, not sure why this is submitted for master.
> Peter
Just wanted to make sure the configuration is consistent across all the
releases.
^ permalink raw reply [flat|nested] 8+ messages in thread
* RE: [OE-core] [PATCH] ncurses: Mitigate CVE-2023-29491
2023-10-09 16:56 ` Marek Vasut
@ 2023-10-09 17:27 ` Marko, Peter
2023-10-09 19:27 ` Marek Vasut
0 siblings, 1 reply; 8+ messages in thread
From: Marko, Peter @ 2023-10-09 17:27 UTC (permalink / raw)
To: Marek Vasut, richard.purdie@linuxfoundation.org
Cc: Alexandre Belloni, steve@sakoman.com,
openembedded-core@lists.openembedded.org
-----Original Message-----
From: Marek Vasut <marex@denx.de>
Sent: Monday, October 9, 2023 18:57
To: Marko, Peter (ADV D EU SK BFS1) <Peter.Marko@siemens.com>; richard.purdie@linuxfoundation.org
Cc: Alexandre Belloni <alexandre.belloni@bootlin.com>; steve@sakoman.com; openembedded-core@lists.openembedded.org
Subject: Re: [OE-core] [PATCH] ncurses: Mitigate CVE-2023-29491
> On 10/9/23 18:51, Marko, Peter wrote:
> > -----Original Message-----
> > From: openembedded-core@lists.openembedded.org
> > <openembedded-core@lists.openembedded.org> On Behalf Of Richard Purdie
> > via lists.openembedded.org
> > Sent: Monday, October 9, 2023 18:44
> > To: Marek Vasut <marex@denx.de>; steve@sakoman.com;
> > openembedded-core@lists.openembedded.org
> > Cc: Alexandre Belloni <alexandre.belloni@bootlin.com>
> > Subject: Re: [OE-core] [PATCH] ncurses: Mitigate CVE-2023-29491
> >
> >> On Mon, 2023-10-09 at 18:31 +0200, Marek Vasut wrote:
> >>> Configure with "--disable-root-environ" to disallow loading of
> >>> custom terminfo entries in setuid/setgid programs, mitigating the
> >>> impact of CVE-2023-29491.
> >>>
> >>> This is taken from debian:
> >>> https://salsa.debian.org/debian/ncurses/-/commit/1c530aad772f7aeef03
> >>> 9b
> >>> 8780d51cd09bd5a08ac
> >>>
> >>> Signed-off-by: Marek Vasut <marex@denx.de>
> >>> ---
> >>> Cc: Alexandre Belloni <alexandre.belloni@bootlin.com>
> >>> Cc: Richard Purdie <richard.purdie@linuxfoundation.org>
> >>> ---
> >>> meta/recipes-core/ncurses/ncurses.inc | 1 +
> >>> 1 file changed, 1 insertion(+)
> >>>
> >>> diff --git a/meta/recipes-core/ncurses/ncurses.inc
> >>> b/meta/recipes-core/ncurses/ncurses.inc
> >>> index 367f3b19f4..1bc07ec2d4 100644
> >>> --- a/meta/recipes-core/ncurses/ncurses.inc
> >>> +++ b/meta/recipes-core/ncurses/ncurses.inc
> >>> @@ -87,6 +87,7 @@ ncurses_configure() {
> >>> --enable-sigwinch \
> >>> --enable-pc-files \
> >>> --disable-rpath-hack \
> >>> + --disable-root-environ \
> >>> ${EXCONFIG_ARGS} \
> >>> --with-manpage-format=normal \
> >>> --without-manpage-renames \
> >>
> >> Should the patch add a CVE_STATUS entry as well so the cve tooling can tell we've mitigated this?
> >
> > ncurses 6.4 is not affected and not shown in CVE report, not sure why this is submitted for master.
> > Peter
>
> Just wanted to make sure the configuration is consistent across all the releases.
I think that the commit message should be changed.
It's misleading when it only says that it mitigates already fixed CVE.
Peter
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [OE-core] [PATCH] ncurses: Mitigate CVE-2023-29491
2023-10-09 17:27 ` Marko, Peter
@ 2023-10-09 19:27 ` Marek Vasut
2023-10-09 20:56 ` Marko, Peter
0 siblings, 1 reply; 8+ messages in thread
From: Marek Vasut @ 2023-10-09 19:27 UTC (permalink / raw)
To: Marko, Peter, richard.purdie@linuxfoundation.org
Cc: Alexandre Belloni, steve@sakoman.com,
openembedded-core@lists.openembedded.org
On 10/9/23 19:27, Marko, Peter wrote:
> -----Original Message-----
> From: Marek Vasut <marex@denx.de>
> Sent: Monday, October 9, 2023 18:57
> To: Marko, Peter (ADV D EU SK BFS1) <Peter.Marko@siemens.com>; richard.purdie@linuxfoundation.org
> Cc: Alexandre Belloni <alexandre.belloni@bootlin.com>; steve@sakoman.com; openembedded-core@lists.openembedded.org
> Subject: Re: [OE-core] [PATCH] ncurses: Mitigate CVE-2023-29491
>
>> On 10/9/23 18:51, Marko, Peter wrote:
>>> -----Original Message-----
>>> From: openembedded-core@lists.openembedded.org
>>> <openembedded-core@lists.openembedded.org> On Behalf Of Richard Purdie
>>> via lists.openembedded.org
>>> Sent: Monday, October 9, 2023 18:44
>>> To: Marek Vasut <marex@denx.de>; steve@sakoman.com;
>>> openembedded-core@lists.openembedded.org
>>> Cc: Alexandre Belloni <alexandre.belloni@bootlin.com>
>>> Subject: Re: [OE-core] [PATCH] ncurses: Mitigate CVE-2023-29491
>>>
>>>> On Mon, 2023-10-09 at 18:31 +0200, Marek Vasut wrote:
>>>>> Configure with "--disable-root-environ" to disallow loading of
>>>>> custom terminfo entries in setuid/setgid programs, mitigating the
>>>>> impact of CVE-2023-29491.
>>>>>
>>>>> This is taken from debian:
>>>>> https://salsa.debian.org/debian/ncurses/-/commit/1c530aad772f7aeef03
>>>>> 9b
>>>>> 8780d51cd09bd5a08ac
>>>>>
>>>>> Signed-off-by: Marek Vasut <marex@denx.de>
>>>>> ---
>>>>> Cc: Alexandre Belloni <alexandre.belloni@bootlin.com>
>>>>> Cc: Richard Purdie <richard.purdie@linuxfoundation.org>
>>>>> ---
>>>>> meta/recipes-core/ncurses/ncurses.inc | 1 +
>>>>> 1 file changed, 1 insertion(+)
>>>>>
>>>>> diff --git a/meta/recipes-core/ncurses/ncurses.inc
>>>>> b/meta/recipes-core/ncurses/ncurses.inc
>>>>> index 367f3b19f4..1bc07ec2d4 100644
>>>>> --- a/meta/recipes-core/ncurses/ncurses.inc
>>>>> +++ b/meta/recipes-core/ncurses/ncurses.inc
>>>>> @@ -87,6 +87,7 @@ ncurses_configure() {
>>>>> --enable-sigwinch \
>>>>> --enable-pc-files \
>>>>> --disable-rpath-hack \
>>>>> + --disable-root-environ \
>>>>> ${EXCONFIG_ARGS} \
>>>>> --with-manpage-format=normal \
>>>>> --without-manpage-renames \
>>>>
>>>> Should the patch add a CVE_STATUS entry as well so the cve tooling can tell we've mitigated this?
>>>
>>> ncurses 6.4 is not affected and not shown in CVE report, not sure why this is submitted for master.
>>> Peter
>>
>> Just wanted to make sure the configuration is consistent across all the releases.
>
> I think that the commit message should be changed.
> It's misleading when it only says that it mitigates already fixed CVE.
Will do, how does this sound:
"
ncurses: disallow loading of custom terminfo entries in
setuid/setgid programs
Configure with "--disable-root-environ" to disallow loading of
custom terminfo entries in setuid/setgid programs. This is related
to CVE-2023-29491, even though CVE-2023-29491 itself is fixed in
this OE release by a backport patch.
This is taken from debian:
https://salsa.debian.org/debian/ncurses/-/commit/1c530aad772f7aeef039b8780d51cd09bd5a08ac
"
?
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] ncurses: Mitigate CVE-2023-29491
2023-10-09 16:44 ` Richard Purdie
2023-10-09 16:51 ` [OE-core] " Marko, Peter
@ 2023-10-09 19:30 ` Marek Vasut
1 sibling, 0 replies; 8+ messages in thread
From: Marek Vasut @ 2023-10-09 19:30 UTC (permalink / raw)
To: Richard Purdie, steve, openembedded-core; +Cc: Alexandre Belloni
On 10/9/23 18:44, Richard Purdie wrote:
> On Mon, 2023-10-09 at 18:31 +0200, Marek Vasut wrote:
>> Configure with "--disable-root-environ" to disallow loading of
>> custom terminfo entries in setuid/setgid programs, mitigating the
>> impact of CVE-2023-29491.
>>
>> This is taken from debian:
>> https://salsa.debian.org/debian/ncurses/-/commit/1c530aad772f7aeef039b8780d51cd09bd5a08ac
>>
>> Signed-off-by: Marek Vasut <marex@denx.de>
>> ---
>> Cc: Alexandre Belloni <alexandre.belloni@bootlin.com>
>> Cc: Richard Purdie <richard.purdie@linuxfoundation.org>
>> ---
>> meta/recipes-core/ncurses/ncurses.inc | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git a/meta/recipes-core/ncurses/ncurses.inc b/meta/recipes-core/ncurses/ncurses.inc
>> index 367f3b19f4..1bc07ec2d4 100644
>> --- a/meta/recipes-core/ncurses/ncurses.inc
>> +++ b/meta/recipes-core/ncurses/ncurses.inc
>> @@ -87,6 +87,7 @@ ncurses_configure() {
>> --enable-sigwinch \
>> --enable-pc-files \
>> --disable-rpath-hack \
>> + --disable-root-environ \
>> ${EXCONFIG_ARGS} \
>> --with-manpage-format=normal \
>> --without-manpage-renames \
>
> Should the patch add a CVE_STATUS entry as well so the cve tooling can
> tell we've mitigated this?
I think I will try to backport the actual fix for this CVE from
Kirkstone first.
^ permalink raw reply [flat|nested] 8+ messages in thread
* RE: [OE-core] [PATCH] ncurses: Mitigate CVE-2023-29491
2023-10-09 19:27 ` Marek Vasut
@ 2023-10-09 20:56 ` Marko, Peter
0 siblings, 0 replies; 8+ messages in thread
From: Marko, Peter @ 2023-10-09 20:56 UTC (permalink / raw)
To: Marek Vasut, richard.purdie@linuxfoundation.org
Cc: Alexandre Belloni, steve@sakoman.com,
openembedded-core@lists.openembedded.org
-----Original Message-----
From: Marek Vasut <marex@denx.de>
Sent: Monday, October 9, 2023 21:28
To: Marko, Peter (ADV D EU SK BFS1) <Peter.Marko@siemens.com>; richard.purdie@linuxfoundation.org
Cc: Alexandre Belloni <alexandre.belloni@bootlin.com>; steve@sakoman.com; openembedded-core@lists.openembedded.org
Subject: Re: [OE-core] [PATCH] ncurses: Mitigate CVE-2023-29491
<snip>
> >>>>
> >>>> Should the patch add a CVE_STATUS entry as well so the cve tooling can tell we've mitigated this?
> >>>
> >>> ncurses 6.4 is not affected and not shown in CVE report, not sure why this is submitted for master.
> >>> Peter
> >>
> >> Just wanted to make sure the configuration is consistent across all the releases.
> >
> > I think that the commit message should be changed.
> > It's misleading when it only says that it mitigates already fixed CVE.
>
> Will do, how does this sound:
>
> "
> ncurses: disallow loading of custom terminfo entries in setuid/setgid programs
>
> Configure with "--disable-root-environ" to disallow loading of
> custom terminfo entries in setuid/setgid programs. This is related
> to CVE-2023-29491, even though CVE-2023-29491 itself is fixed in
> this OE release by a backport patch.
>
> This is taken from debian:
>
> https://salsa.debian.org/debian/ncurses/-/commit/1c530aad772f7aeef039b8780d51cd09bd5a08ac
Parent commit - https://salsa.debian.org/debian/ncurses/-/commit/93a383681e3da9f385536f9bc98266c5dd7e42cf
> "
>
> ?
The commit message seems to be fine now, but...
...looking at Debian, they first changed behavior of "--disable-root-environ" option via custom patch and only afterwards used it.
Since Yocto is not changing the behavior of this option, it is probably a wrong thing to enable it by default.
This would need a much deeper analysis imho, for all three branches where this is submitted.
Peter
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2023-10-09 20:56 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-10-09 16:31 [PATCH] ncurses: Mitigate CVE-2023-29491 Marek Vasut
2023-10-09 16:44 ` Richard Purdie
2023-10-09 16:51 ` [OE-core] " Marko, Peter
2023-10-09 16:56 ` Marek Vasut
2023-10-09 17:27 ` Marko, Peter
2023-10-09 19:27 ` Marek Vasut
2023-10-09 20:56 ` Marko, Peter
2023-10-09 19:30 ` Marek Vasut
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.