diff --git a/SOURCES/ncurses-cve-2023-29491.patch b/SOURCES/ncurses-cve-2023-29491.patch new file mode 100644 index 0000000..a859f0e --- /dev/null +++ b/SOURCES/ncurses-cve-2023-29491.patch @@ -0,0 +1,13 @@ +diff -up ncurses-6.2-20210508/ncurses/tinfo/read_entry.c.cve-2023-29491 ncurses-6.2-20210508/ncurses/tinfo/read_entry.c +--- ncurses-6.2-20210508/ncurses/tinfo/read_entry.c.cve-2023-29491 2023-08-14 15:52:46.536461992 +0200 ++++ ncurses-6.2-20210508/ncurses/tinfo/read_entry.c 2023-08-14 15:55:04.384426095 +0200 +@@ -308,6 +308,9 @@ _nc_read_termtype(TERMTYPE2 *ptr, char * + || bool_count < 0 + || num_count < 0 + || str_count < 0 ++ || bool_count > BOOLCOUNT ++ || num_count > NUMCOUNT ++ || str_count > STRCOUNT + || str_size < 0) { + returnDB(TGETENT_NO); + } diff --git a/SOURCES/ncurses-setuid.patch b/SOURCES/ncurses-setuid.patch new file mode 100644 index 0000000..03436f6 --- /dev/null +++ b/SOURCES/ncurses-setuid.patch @@ -0,0 +1,134 @@ +diff -up ncurses-6.2-20210508/configure.setuid ncurses-6.2-20210508/configure +--- ncurses-6.2-20210508/configure.setuid 2021-05-02 02:35:51.000000000 +0200 ++++ ncurses-6.2-20210508/configure 2023-08-21 14:22:48.925376959 +0200 +@@ -784,6 +784,7 @@ Fine-Tuning Your Configuration: + --enable-getcap-cache cache translated termcaps in ~/.terminfo + --disable-home-terminfo drop ~/.terminfo from terminfo search-path + --disable-root-environ restrict environment when running as root ++ --disable-setuid-environ restrict setuid use of ncurses environment variables + --enable-symlinks make tic use symbolic links not hard links + --enable-broken_linker compile with broken-linker support code + --enable-bsdpad recognize BSD-style prefix padding +@@ -9224,6 +9225,20 @@ cat >>confdefs.h <<\EOF + #define USE_ROOT_ENVIRON 1 + EOF + ++# Check whether --enable-setuid-environ or --disable-setuid-environ was given. ++if test "${enable_setuid_environ+set}" = set; then ++ enableval="$enable_setuid_environ" ++ with_setuid_environ=$enableval ++else ++ with_setuid_environ=$with_root_environ ++fi; ++echo "$as_me:9942: result: $with_setuid_environ" >&5 ++echo "${ECHO_T}$with_setuid_environ" >&6 ++test "x$with_setuid_environ" = xyes && ++cat >>confdefs.h <<\EOF ++#define USE_SETUID_ENVIRON 1 ++EOF ++ + ### Use option --enable-symlinks to make tic use symlinks, not hard links + ### to reduce storage requirements for the terminfo database. + +diff -up ncurses-6.2-20210508/ncurses/curses.priv.h.setuid ncurses-6.2-20210508/ncurses/curses.priv.h +--- ncurses-6.2-20210508/ncurses/curses.priv.h.setuid 2021-04-04 00:12:56.000000000 +0200 ++++ ncurses-6.2-20210508/ncurses/curses.priv.h 2023-08-21 14:22:48.925376959 +0200 +@@ -210,7 +210,7 @@ extern int errno; + * If desired, one can configure this, disabling environment variables that + * point to custom terminfo/termcap locations. + */ +-#ifdef USE_ROOT_ENVIRON ++#if defined(USE_ROOT_ENVIRON) && defined(USE_SETUID_ENVIRON) + #define use_terminfo_vars() 1 + #else + #define use_terminfo_vars() _nc_env_access() +diff -up ncurses-6.2-20210508/ncurses/tinfo/access.c.setuid ncurses-6.2-20210508/ncurses/tinfo/access.c +--- ncurses-6.2-20210508/ncurses/tinfo/access.c.setuid 2020-08-29 18:22:03.000000000 +0200 ++++ ncurses-6.2-20210508/ncurses/tinfo/access.c 2023-08-21 14:22:48.925376959 +0200 +@@ -37,6 +37,8 @@ + + #include + ++#include ++ + MODULE_ID("$Id: access.c,v 1.27 2020/08/29 16:22:03 juergen Exp $") + + #define LOWERCASE(c) ((isalpha(UChar(c)) && isupper(UChar(c))) ? tolower(UChar(c)) : (c)) +@@ -169,7 +171,18 @@ _nc_is_file_path(const char *path) + return result; + } + +-#ifndef USE_ROOT_ENVIRON ++#define is_posix_elevated() \ ++ (getuid() != geteuid() \ ++ || getgid() != getegid()) ++ ++#define is_elevated() \ ++ (getauxval(AT_SECURE) \ ++ ? TRUE \ ++ : (errno != ENOENT \ ++ ? FALSE \ ++ : is_posix_elevated())) ++ ++#if !defined(USE_ROOT_ENVIRON) || !defined(USE_SETUID_ENVIRON) + /* + * Returns true if we allow application to use environment variables that are + * used for searching lists of directories, etc. +@@ -177,15 +190,18 @@ _nc_is_file_path(const char *path) + NCURSES_EXPORT(int) + _nc_env_access(void) + { +-#if HAVE_ISSETUGID +- if (issetugid()) +- return FALSE; +-#elif HAVE_GETEUID && HAVE_GETEGID +- if (getuid() != geteuid() +- || getgid() != getegid()) +- return FALSE; ++ int result = TRUE; ++ ++#if !defined(USE_SETUID_ENVIRON) ++ if (is_elevated()) { ++ result = FALSE; ++ } + #endif +- /* ...finally, disallow root */ +- return (getuid() != ROOT_UID) && (geteuid() != ROOT_UID); ++#if !defined(USE_ROOT_ENVIRON) ++ if ((getuid() == ROOT_UID) || (geteuid() == ROOT_UID)) { ++ result = FALSE; ++ } ++#endif ++ return result; + } + #endif +diff -up ncurses-6.2-20210508/ncurses/tinfo/comp_error.c.setuid ncurses-6.2-20210508/ncurses/tinfo/comp_error.c +--- ncurses-6.2-20210508/ncurses/tinfo/comp_error.c.setuid 2023-08-21 14:27:08.268309417 +0200 ++++ ncurses-6.2-20210508/ncurses/tinfo/comp_error.c 2023-08-21 14:33:13.716214256 +0200 +@@ -148,8 +148,8 @@ _nc_syserr_abort(const char *const fmt, + /* If we're debugging, try to show where the problem occurred - this + * will dump core. + */ +-#ifndef USE_ROOT_ENVIRON +- if (getuid() != ROOT_UID) ++#if !defined(USE_ROOT_ENVIRON) || !defined(USE_SETUID_ENVIRON) ++ if (_nc_env_access()) + #endif + abort(); + #endif +diff -up ncurses-6.2-20210508/ncurses/tinfo/write_entry.c.setuid ncurses-6.2-20210508/ncurses/tinfo/write_entry.c +--- ncurses-6.2-20210508/ncurses/tinfo/write_entry.c.setuid 2020-08-29 18:22:03.000000000 +0200 ++++ ncurses-6.2-20210508/ncurses/tinfo/write_entry.c 2023-08-21 14:32:22.738227530 +0200 +@@ -215,11 +215,7 @@ _nc_set_writedir(const char *dir) + const char *destination; + char actual[PATH_MAX]; + +- if (dir == 0 +-#ifndef USE_ROOT_ENVIRON +- && use_terminfo_vars() +-#endif +- ) ++ if (dir == 0 && use_terminfo_vars()) + dir = getenv("TERMINFO"); + + if (dir != 0) diff --git a/SPECS/ncurses.spec b/SPECS/ncurses.spec index dd03fb1..f6a1b87 100644 --- a/SPECS/ncurses.spec +++ b/SPECS/ncurses.spec @@ -2,7 +2,7 @@ Summary: Ncurses support utilities Name: ncurses Version: 6.2 -Release: 8.%{revision}%{?dist} +Release: 10.%{revision}%{?dist} License: MIT URL: https://invisible-island.net/ncurses/ncurses.html Source0: https://invisible-mirror.net/archives/ncurses/current/ncurses-%{version}-%{revision}.tgz @@ -13,6 +13,8 @@ Patch8: ncurses-config.patch Patch9: ncurses-libs.patch Patch11: ncurses-urxvt.patch Patch12: ncurses-kbs.patch +Patch13: ncurses-cve-2023-29491.patch +Patch14: ncurses-setuid.patch BuildRequires: gcc gcc-c++ gpm-devel gnupg2 make pkgconfig Requires: %{name}-libs%{?_isa} = %{version}-%{release} @@ -114,6 +116,8 @@ The ncurses-static package includes static libraries of the ncurses library. %patch9 -p1 -b .libs %patch11 -p1 -b .urxvt %patch12 -p1 -b .kbs +%patch13 -p1 -b .cve-2023-29491 +%patch14 -p1 -b .setuid for f in ANNOUNCE; do iconv -f iso8859-1 -t utf8 -o ${f}{_,} && @@ -127,6 +131,7 @@ common_options="\ --enable-overwrite \ --enable-pc-files \ --enable-xmc-glitch \ + --disable-setuid-environ \ --disable-stripping \ --disable-wattr-macros \ --with-cxx-shared \ @@ -281,6 +286,13 @@ xz NEWS %{_libdir}/lib*.a %changelog +* Mon Aug 21 2023 Miroslav Lichvar 6.2-10.20210508 +- ignore TERMINFO and HOME only if setuid/setgid/capability (#2211666) + +* Mon Aug 14 2023 Miroslav Lichvar 6.2-9.20210508 +- fix buffer overflow on terminfo with too many capabilities (CVE-2023-29491) +- ignore TERMINFO and HOME environment variables if running as root (#2211666) + * Mon Aug 09 2021 Mohan Boddu - 6.2-8.20210508 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688