diff options
| -rw-r--r-- | meta/recipes-core/ncurses/files/CVE-2023-29491.patch | 45 | ||||
| -rw-r--r-- | meta/recipes-core/ncurses/ncurses_6.2.bb | 3 |
2 files changed, 47 insertions, 1 deletions
diff --git a/meta/recipes-core/ncurses/files/CVE-2023-29491.patch b/meta/recipes-core/ncurses/files/CVE-2023-29491.patch new file mode 100644 index 0000000000..0a0497723f --- /dev/null +++ b/meta/recipes-core/ncurses/files/CVE-2023-29491.patch @@ -0,0 +1,45 @@ +Backport of: + +Author: Sven Joachim <svenjoac@gmx.de> +Description: Change the --disable-root-environ configure option behavior + By default, the --disable-root-environ option forbids program run by + the superuser to load custom terminfo entries. This patch changes + that to only restrict programs running with elevated privileges, + matching the behavior of the --disable-setuid-environ option + introduced in the 20230423 upstream patchlevel. +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034372#29 +Bug: https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00018.html +Forwarded: not-needed +Last-Update: 2023-05-01 + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/ncurses/6.2-0ubuntu2.1/ncurses_6.2-0ubuntu2.1.debian.tar.xz] +CVE: CVE-2023-29491 +Signed-off-by: Virendra Thakur <virendrak@kpit.com> + +--- + ncurses/tinfo/access.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/ncurses/tinfo/access.c ++++ b/ncurses/tinfo/access.c +@@ -178,15 +178,16 @@ _nc_is_file_path(const char *path) + NCURSES_EXPORT(int) + _nc_env_access(void) + { ++ int result = TRUE; ++ + #if HAVE_ISSETUGID + if (issetugid()) +- return FALSE; ++ result = FALSE; + #elif HAVE_GETEUID && HAVE_GETEGID + if (getuid() != geteuid() + || getgid() != getegid()) +- return FALSE; ++ result = FALSE; + #endif +- /* ...finally, disallow root */ +- return (getuid() != ROOT_UID) && (geteuid() != ROOT_UID); ++ return result; + } + #endif diff --git a/meta/recipes-core/ncurses/ncurses_6.2.bb b/meta/recipes-core/ncurses/ncurses_6.2.bb index 451bfbcb5d..33285bcb5b 100644 --- a/meta/recipes-core/ncurses/ncurses_6.2.bb +++ b/meta/recipes-core/ncurses/ncurses_6.2.bb @@ -5,11 +5,12 @@ SRC_URI += "file://0001-tic-hang.patch \ file://0003-gen-pkgconfig.in-Do-not-include-LDFLAGS-in-generated.patch \ file://CVE-2021-39537.patch \ file://CVE-2022-29458.patch \ + file://CVE-2023-29491.patch \ " # commit id corresponds to the revision in package version SRCREV = "a669013cd5e9d6434e5301348ea51baf306c93c4" S = "${WORKDIR}/git" -EXTRA_OECONF += "--with-abi-version=5" +EXTRA_OECONF += "--with-abi-version=5 --disable-root-environ" UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+(\+\d+)*)" # This is needed when using patchlevel versions like 6.1+20181013 |