[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Is there a small patch to fix the CVE-2023-29491?

From: Thomas Dickey
Subject: Re: Is there a small patch to fix the CVE-2023-29491?
Date: Wed, 19 Apr 2023 04:12:39 -0400

On Wed, Apr 19, 2023 at 06:18:14AM +0000, wanghaitao (G) via Bug reports for 
ncurses, the GNU implementation of curses wrote:
> Dear Thomas Dickey,
> May I ask if there is a small patch specifically for fixing CVE-2023-29491? 

hmm: "small patch" would be 1-2 lines.  The code changes that I've made
can be extracted with a text editor in a few minutes, but (see below)
the CVE itself is best addressed by a longstanding configure option.

This is from a diff that I made against ncurses 6.4
(6.3 is a little more work):

 include/nc_tparm.h         |    1 
 ncurses/tinfo/lib_tgoto.c  |   12 +++
 ncurses/tinfo/lib_tparm.c  |  150 ++++++++++++++++++++++++++++++++++++++++-----
 ncurses/tinfo/read_entry.c |    3 
 progs/tic.c                |    6 +
 progs/tparm_type.c         |    9 ++
 progs/tparm_type.h         |    2 
 progs/tput.c               |   57 +++++++++++++++--
 8 files changed, 219 insertions(+), 21 deletions(-)

> I found that you fixed this CVE in this patch you released on April 8th, but 
> this patch contains other modifications as well.
> http://ncurses.scripts.mit.edu/?p=ncurses.git;a=commit;h=eb51b1ea1f75a0ec17c9c5937cb28df1e8eeec56

no... I'm pretty clear that I'm addressing the issues in the original report:


Deciding what's appropriate for responding to a CVE is actually an issue
for packagers.  In adding the original _issues_, I find that more than
one application using ncurses relies upon abusing the documented interfaces.
That tends to make (some) packagers uncomfortable, and look for just a
quick, non-intrusive fix.
> And I found the ncurses doesn't have a git repo, which means I can't find the 
> commit that only fix this CVE.

I've read that comment more than one place, but as you can see by reading
discussion here, will realize that it is untrue:


but seriously, if you're unable to deal with patch/diffs, none of that helps.

There's no single commit for you to use, in any case: development doesn't
_work_ that way.

To address the CVE itself, read what it says:


        ncurses before 6.4 20230408, when used by a setuid application, allows
        local users to trigger security-relevant memory corruption via
        malformed data in a terminfo database file that is found in
        $HOME/.terminfo or reached via the TERMINFO or TERM environment

so... to address that, disable the environment variables when running
in a setuid application.  I added the configure option for that in 2000:


        + add configure option --disable-root-environ, which tells ncurses to
          disregard $TERMINFO and similar environment variables if the current
          user is root, or running setuid/setgid (based on discussion with
          several people).

The configure script's help-message is terse, but the INSTALL file in the
sources gives this information:


          Compile with environment restriction, so certain environment variables
          are not available when running as root, or via a setuid/setgid
          application.  These are (for example $TERMINFO) those that allow the
          search path for the terminfo or termcap entry to be customized.
> A patch contains docs and miscellaneous changes will make our maintenance 
> work difficult. I found that the oss-security community has also noticed this 
> issue too.
> https://seclists.org/oss-sec/2023/q2/23
> So could you please provide a patch that only fixes this CVE? If so, I would 
> be very grateful.
> Best regards,
> Wang Haitao

Thomas E. Dickey <dickey@invisible-island.net>

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]