Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Tags: d-i
X-Debbugs-Cc: ncur...@packages.debian.org, debian-boot@lists.debian.org
Control: affects -1 + src:ncurses
I would like to address CVE-2023-29491[1] aka bug #1034372[2] in
Bookworm.
[ Reason ]
Various memory corruption bugs exist when loading specifically crafted
terminfo database files. This is a security problem in programs running
with elevated privileges, as users are allowed to provide their own
terminfo files under ${HOME}/.terminfo or via the TERMINFO or
TERMINFO_DIRS environment variables.
Backporting the upstream fixes seems to be too risky this late in the
release process, but via a configure option it is possible to prevent
setuid/setgid programs from loading custom terminfo files supplied by
the user, after which the bugs are no longer security relevant.
[ Impact ]
Local users could try privilege escalations in setuid/setgid programs
linked to the tinfo library. How easily those can be achieved probably
depends on the program.
[ Tests ]
No automatic tests exist. I have manually verified that programs can no
longer use custom terminfo files if their effective UID or GID differs
from the real one. Also I have verified that the terminfo database in
the ncurses-{base,term} packages is unchanged from 6.4-2.
[ Risks ]
Users who are relying on their own terminfo files under
${HOME}/.terminfo can no longer use them in setuid/setgid programs and
will have to work around that, e.g. by changing their TERM variable,
using a different terminal emulator or asking their sysadmin for help.
On my systems I did not find any setuid binaries linked to the tinfo
library, but some setgid games in the bsdgames package.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
I have slightly edited the debdiff to exclude spurious changes to the
debian/lib{32,64}tinfo6.symbols files, as these are just symlinks to
libtinfo6.symbols. See devscripts bug #773762[3].
[ Other info ]
Since ncurses produces udebs, I have CC'ed debian-boot and tagged the
bug accordingly. There should be no effect on the installer, as I would
expect it to run all programs as root.
Thanks for consideration.
Cheers,
Sven
1. https://security-tracker.debian.org/tracker/CVE-2023-29491
2. https://bugs.debian.org/1034372
3. https://bugs.debian.org/773762
diff -Nru ncurses-6.4/debian/changelog ncurses-6.4/debian/changelog
--- ncurses-6.4/debian/changelog 2023-01-25 21:21:49.000000000 +0100
+++ ncurses-6.4/debian/changelog 2023-05-01 17:57:51.000000000 +0200
@@ -1,3 +1,21 @@
+ncurses (6.4-3) unstable; urgency=medium
+
+ * Configure with "--disable-root-environ" to disallow loading of
+ custom terminfo entries in setuid/setgid programs, mitigating the
+ impact of CVE-2023-29491 (see #1034372).
+ - Update the symbols files for the newly exported symbol
+ _nc_env_access.
+ - New patch fix-configure-root-args-option.diff cherry-picked from
+ the 20230415 patchlevel, fixing a copy/paste error which caused
+ the "--disable-root-environ" configure option to pick up code
+ meant to be used by the "--disable-root-args" option instead.
+ - New patch debian-env-access.diff, changing the behavior of the
+ "--disable-root-environ" configure option to not restrict programs
+ run by the superuser, equivalent to the "--disable-setuid-environ"
+ option introduced in the 20230423 patchlevel.
+
+ -- Sven Joachim <svenj...@gmx.de> Mon, 01 May 2023 17:57:51 +0200
+
ncurses (6.4-2) unstable; urgency=medium
* Add Breaks against vim-common (<< 2:9.0.1000-2) to ncurses-base
diff -Nru ncurses-6.4/debian/libtinfo5.symbols ncurses-6.4/debian/libtinfo5.symbols
--- ncurses-6.4/debian/libtinfo5.symbols 2023-01-22 17:54:52.000000000 +0100
+++ ncurses-6.4/debian/libtinfo5.symbols 2023-05-01 11:36:38.000000000 +0200
@@ -95,6 +95,7 @@
_nc_curr_col@NCURSES_TINFO_5.0.19991023 6
_nc_curr_line@NCURSES_TINFO_5.0.19991023 6
_nc_doalloc@NCURSES_TINFO_5.0.19991023 6
+ _nc_env_access@NCURSES_TINFO_5.2.20001021 6.4-3~
_nc_err_abort@NCURSES_TINFO_5.0.19991023 6
_nc_fallback@NCURSES_TINFO_5.0.19991023 6
_nc_find_entry@NCURSES_TINFO_5.0.19991023 6
diff -Nru ncurses-6.4/debian/libtinfo6.symbols ncurses-6.4/debian/libtinfo6.symbols
--- ncurses-6.4/debian/libtinfo6.symbols 2023-01-22 17:54:52.000000000 +0100
+++ ncurses-6.4/debian/libtinfo6.symbols 2023-05-01 11:36:38.000000000 +0200
@@ -94,6 +94,7 @@
_nc_curr_col@NCURSES6_TINFO_5.0.19991023 6
_nc_curr_line@NCURSES6_TINFO_5.0.19991023 6
_nc_doalloc@NCURSES6_TINFO_5.0.19991023 6
+ _nc_env_access@NCURSES6_TINFO_5.2.20001021 6.4-3~
_nc_err_abort@NCURSES6_TINFO_5.0.19991023 6
_nc_export_termtype2@NCURSES6_TINFO_6.1.20171230 6.1
_nc_fallback2@NCURSES6_TINFO_6.1.20171230 6.1
diff -Nru ncurses-6.4/debian/patches/debian-env-access.diff ncurses-6.4/debian/patches/debian-env-access.diff
--- ncurses-6.4/debian/patches/debian-env-access.diff 1970-01-01 01:00:00.000000000 +0100
+++ ncurses-6.4/debian/patches/debian-env-access.diff 2023-05-01 11:31:44.000000000 +0200
@@ -0,0 +1,27 @@
+Author: Sven Joachim <svenj...@gmx.de>
+Description: Change the --disable-root-environ configure option behavior
+ By default, the --disable-root-environ option forbids program run by
+ the superuser to load custom terminfo entries. This patch changes
+ that to only restrict programs running with elevated privileges,
+ matching the behavior of the --disable-setuid-environ option
+ introduced in the 20230423 upstream patchlevel.
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034372#29
+Bug: https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00018.html
+Forwarded: not-needed
+Last-Update: 2023-05-01
+
+---
+ ncurses/tinfo/access.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/ncurses/tinfo/access.c
++++ b/ncurses/tinfo/access.c
+@@ -215,8 +215,6 @@ _nc_env_access(void)
+
+ if (is_elevated()) {
+ result = FALSE;
+- } else if ((getuid() == ROOT_UID) || (geteuid() == ROOT_UID)) {
+- result = FALSE;
+ }
+ return result;
+ }
diff -Nru ncurses-6.4/debian/patches/fix-configure-root-args-option.diff ncurses-6.4/debian/patches/fix-configure-root-args-option.diff
--- ncurses-6.4/debian/patches/fix-configure-root-args-option.diff 1970-01-01 01:00:00.000000000 +0100
+++ ncurses-6.4/debian/patches/fix-configure-root-args-option.diff 2023-05-01 11:31:04.000000000 +0200
@@ -0,0 +1,24 @@
+Author: Sven Joachim <svenj...@gmx.de>
+Description: Fix copy/paste error in configure.in
+ Fix the --disable-root-access and --disableroot-environ configure
+ options. Due to a copy/paste error, the latter performs the actions
+ of the former, while the --disable-root-access option has no effect
+ at all.
+Forwarded: https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00003.html
+Last-Update: 2023-05-01
+
+---
+ configure.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/configure.in
++++ b/configure.in
+@@ -868,7 +868,7 @@ AC_MSG_RESULT($with_root_environ)
+ test "x$with_root_environ" = xyes && AC_DEFINE(USE_ROOT_ENVIRON,1,[Define to 1 if root is allowed to use ncurses environment])
+
+ AC_MSG_CHECKING(if you want to permit setuid programs to access all files)
+-AC_ARG_ENABLE(root-environ,
++AC_ARG_ENABLE(root-access,
+ [ --disable-root-access restrict file-access when running setuid],
+ [with_root_access=$enableval],
+ [with_root_access=yes])
diff -Nru ncurses-6.4/debian/patches/series ncurses-6.4/debian/patches/series
--- ncurses-6.4/debian/patches/series 2023-01-22 18:31:25.000000000 +0100
+++ ncurses-6.4/debian/patches/series 2023-05-01 11:31:44.000000000 +0200
@@ -3,3 +3,5 @@
02-debian-xterm.diff
03-debian-ncursesconfig-omit-L.diff
fix_crash_on_very_long_tc-use_clause.diff
+fix-configure-root-args-option.diff
+debian-env-access.diff
diff -Nru ncurses-6.4/debian/rules ncurses-6.4/debian/rules
--- ncurses-6.4/debian/rules 2023-01-22 19:46:39.000000000 +0100
+++ ncurses-6.4/debian/rules 2023-05-01 11:36:38.000000000 +0200
@@ -148,6 +148,7 @@
--without-progs \
$(with_mouse) \
--enable-symlinks \
+ --disable-root-environ \
--disable-termcap \
--with-default-terminfo-dir=/etc/terminfo \
--with-terminfo-dirs="/etc/terminfo:/lib/terminfo:/usr/share/terminfo" \
