[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Limiting environment use for setuid/setgid programs only?

From: Thomas Dickey
Subject: Re: Limiting environment use for setuid/setgid programs only?
Date: Sat, 15 Apr 2023 10:10:18 -0400

On Sat, Apr 15, 2023 at 07:47:45AM -0400, Thomas Dickey wrote:
> On Sat, Apr 15, 2023 at 10:29:38AM +0200, Sven Joachim wrote:
> > The ramifications of CVE-2023-29491 can be limited by configuring
> > ncurses with --disable-root-environ.  However, this disables all use of
> > the ncurses environment variables by the superuser which has the
> > potential to break scripts and makefiles.
> > 
> > Would it be possible to add a new option that only limits environment
> > use for setuid/setgid programs, like the --disable-root-access behavior?
> Sure, I suppose so (perhaps not today)

hmm - I see in


that it was updated sometime after I responded to the OpenRC bug report,
to provide a disclosure (no exploit?) limiting the scope to setuid programs.

That wasn't mentioned in the discussion last week (or accompanying analysis),
but I see that it would be relevant for the macOS case (where there are
more issues because Apple provides only ncurses 5.7).

I'll finish validating my changes for tparm, etc., and see about this detail.

Thomas E. Dickey <dickey@invisible-island.net>

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]