Re: Limiting environment use for setuid/setgid programs only?

[Thomas Dickey]

On Sat, Apr 15, 2023 at 07:47:45AM -0400, Thomas Dickey wrote:
> On Sat, Apr 15, 2023 at 10:29:38AM +0200, Sven Joachim wrote:
> > The ramifications of CVE-2023-29491 can be limited by configuring
> > ncurses with --disable-root-environ.  However, this disables all use of
> > the ncurses environment variables by the superuser which has the
> > potential to break scripts and makefiles.
> > 
> > Would it be possible to add a new option that only limits environment
> > use for setuid/setgid programs, like the --disable-root-access behavior?
> 
> Sure, I suppose so (perhaps not today)

hmm - I see in

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29491

that it was updated sometime after I responded to the OpenRC bug report,
to provide a disclosure (no exploit?) limiting the scope to setuid programs.

That wasn't mentioned in the discussion last week (or accompanying analysis),
but I see that it would be relevant for the macOS case (where there are
more issues because Apple provides only ncurses 5.7).

I'll finish validating my changes for tparm, etc., and see about this detail.

-- 
Thomas E. Dickey <dickey@invisible-island.net>
https://invisible-island.net

signature.asc
Description: PGP signature