blob: 0a0497723f3ea8e956a4f93d9b7381103cbcdb70 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
Backport of:
Author: Sven Joachim <svenjoac@gmx.de>
Description: Change the --disable-root-environ configure option behavior
By default, the --disable-root-environ option forbids program run by
the superuser to load custom terminfo entries. This patch changes
that to only restrict programs running with elevated privileges,
matching the behavior of the --disable-setuid-environ option
introduced in the 20230423 upstream patchlevel.
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034372#29
Bug: https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00018.html
Forwarded: not-needed
Last-Update: 2023-05-01
Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/ncurses/6.2-0ubuntu2.1/ncurses_6.2-0ubuntu2.1.debian.tar.xz]
CVE: CVE-2023-29491
Signed-off-by: Virendra Thakur <virendrak@kpit.com>
---
ncurses/tinfo/access.c | 2 --
1 file changed, 2 deletions(-)
--- a/ncurses/tinfo/access.c
+++ b/ncurses/tinfo/access.c
@@ -178,15 +178,16 @@ _nc_is_file_path(const char *path)
NCURSES_EXPORT(int)
_nc_env_access(void)
{
+ int result = TRUE;
+
#if HAVE_ISSETUGID
if (issetugid())
- return FALSE;
+ result = FALSE;
#elif HAVE_GETEUID && HAVE_GETEGID
if (getuid() != geteuid()
|| getgid() != getegid())
- return FALSE;
+ result = FALSE;
#endif
- /* ...finally, disallow root */
- return (getuid() != ROOT_UID) && (geteuid() != ROOT_UID);
+ return result;
}
#endif
|