On Sat, Apr 15, 2023 at 07:27:45AM -0400, Thomas Dickey wrote: > On Sat, Apr 15, 2023 at 09:05:25AM +0200, Sven Joachim wrote: > > On 2023-04-13 20:39 +0200, Moritz Mühlenhoff wrote: > > > > > The following vulnerability was published for ncurses. > > > > > > CVE-2023-29491 was assigned to > > > https://invisible-island.net/ncurses/NEWS.html#index-t20230408 > > > > > > If you fix the vulnerability please also make sure to include the > > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > > > For further information see: > > > > > > [0] https://security-tracker.debian.org/tracker/CVE-2023-29491 > > > https://www.cve.org/CVERecord?id=CVE-2023-29491 > > > > Security boundaries are only crossed for setuid/setgid programs here, > > and we probably do not have many setuid binaries linked to libtinfo in > > the distribution (on my system, I could not find any). So I guess you > > probably do not want to issue a DSA here, right? > > > > Gentoo users have noticed a few problems after upgrading to the 20230408 > > patchlevel[1,2,3], most notably output of openrc being completely > > broken. While we do not have that particular problem because openrc in > > It was already broken (the "(null)" strings come from its misuse of the > ncurses interface, which will require fixes in OpenRC). I'm not going > to provide a patch for OpenRC itself - any maintainer should be able to > do _that_. > > Today I'll put out the fix for zero-parameter tsl, along with similar minor > improvements, and if nothing else surfaces, use that as the basis for the > security-patch.
I had another fix, which works fine. Except of course for programs which call tparm without actually reading from the terminal database, and don't check error returns. I could digress... ...reflecting on all of this, the low-impact change would be to use the --disable-root-environ configure option (possibly --disable-root-access as well). By the way, the issues that I've been addressing exist in other implementations. Have a nice day. -- Thomas E. Dickey <dic...@invisible-island.net> https://invisible-island.net
signature.asc
Description: PGP signature
