[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Limiting environment use for setuid/setgid programs only?
From: |
Thomas Dickey |
Subject: |
Re: Limiting environment use for setuid/setgid programs only? |
Date: |
Sat, 15 Apr 2023 20:04:16 -0400 |
On Sat, Apr 15, 2023 at 10:10:18AM -0400, Thomas Dickey wrote:
> On Sat, Apr 15, 2023 at 07:47:45AM -0400, Thomas Dickey wrote:
> > On Sat, Apr 15, 2023 at 10:29:38AM +0200, Sven Joachim wrote:
> > > The ramifications of CVE-2023-29491 can be limited by configuring
> > > ncurses with --disable-root-environ. However, this disables all use of
> > > the ncurses environment variables by the superuser which has the
> > > potential to break scripts and makefiles.
> > >
> > > Would it be possible to add a new option that only limits environment
> > > use for setuid/setgid programs, like the --disable-root-access behavior?
> >
> > Sure, I suppose so (perhaps not today)
>
> hmm - I see in
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29491
>
> that it was updated sometime after I responded to the OpenRC bug report,
> to provide a disclosure (no exploit?) limiting the scope to setuid programs.
>
> That wasn't mentioned in the discussion last week (or accompanying analysis),
> but I see that it would be relevant for the macOS case (where there are
> more issues because Apple provides only ncurses 5.7).
>
> I'll finish validating my changes for tparm, etc., and see about this detail.
still on my to-do's. For validating, I spent a chunk of time improving
one of the test programs so that I could exercise the tparm changes for
all of the available data.
--
Thomas E. Dickey <dickey@invisible-island.net>
https://invisible-island.net
signature.asc
Description: PGP signature