aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorpsykose <alice@ayaya.dev>2023-05-27 07:47:35 +0000
committerpsykose <alice@ayaya.dev>2023-05-27 09:49:44 +0200
commit776cc4e9d3d71d1c69efe4f4a5057c9eacb3c45e (patch)
tree4aba5ae217d6aa78aa64706875388ae28395dc1c
parentb0a82f57c824f38a0a863b187839846ce277f359 (diff)
downloadaports-3.16-stable.tar.gz
aports-3.16-stable.tar.bz2
aports-3.16-stable.tar.xz
main/ncurses: fix CVE-2023-294913.16-stable
ref #14915
-rw-r--r--main/ncurses/APKBUILD12
-rw-r--r--main/ncurses/fix-configure-root-args-option.patch19
-rw-r--r--main/ncurses/root-environ-only-setuid.patch35
3 files changed, 64 insertions, 2 deletions
diff --git a/main/ncurses/APKBUILD b/main/ncurses/APKBUILD
index c03921ed4c7..324d0791e0c 100644
--- a/main/ncurses/APKBUILD
+++ b/main/ncurses/APKBUILD
@@ -2,7 +2,7 @@
pkgname=ncurses
pkgver=6.3_p20220521
_ver=${pkgver/_p/-}
-pkgrel=0
+pkgrel=1
pkgdesc="Console display library"
url="https://invisible-island.net/ncurses/"
arch="all"
@@ -11,10 +11,15 @@ license="MIT"
makedepends_build="ncurses"
subpackages="$pkgname-static $pkgname-dev $pkgname-doc $pkgname-libs
$pkgname-terminfo-base:base:noarch $pkgname-terminfo:terminfo:noarch"
-source="https://invisible-mirror.net/archives/ncurses/current/ncurses-$_ver.tgz"
+source="https://invisible-mirror.net/archives/ncurses/current/ncurses-$_ver.tgz
+ fix-configure-root-args-option.patch
+ root-environ-only-setuid.patch
+ "
builddir="$srcdir"/ncurses-$_ver
# secfixes:
+# 6.3_p20220521-r1:
+# - CVE-2023-29491
# 6.3_p20220416-r0:
# - CVE-2022-29458
# 6.2_p20200530-r0:
@@ -34,6 +39,7 @@ build() {
--without-ada \
--without-tests \
--disable-termcap \
+ --disable-root-environ \
--disable-rpath-hack \
--disable-stripping \
--with-pkg-config-libdir=/usr/lib/pkgconfig \
@@ -121,4 +127,6 @@ static() {
sha512sums="
bd52e79fee39c223f5a50ae308e842bdf54dcc32ca66c2181379c6cb46b7ad05300ba0a900432de333c353f8e5781e52a9e532f285cf0ccb1231e8abc3ca0412 ncurses-6.3-20220521.tgz
+a075e0f0ed1778466f8da58bed279f5603ce3676afeb5345c228d4c89a42a28755d6a6f9ddcce5c4a364e6b020bf021a8aa63802fa781829c63ef0fdb9fd41c1 fix-configure-root-args-option.patch
+cd0bcf43cb8bc54b2a0189ae20b106a8545e6e3008782f1faa9ea341ac8b05305f5870d6217dbd33009876d32ce3dcc14fc454df4be234187528db27d1351432 root-environ-only-setuid.patch
"
diff --git a/main/ncurses/fix-configure-root-args-option.patch b/main/ncurses/fix-configure-root-args-option.patch
new file mode 100644
index 00000000000..970ca1f0667
--- /dev/null
+++ b/main/ncurses/fix-configure-root-args-option.patch
@@ -0,0 +1,19 @@
+disable-root-environ mistakenly also sets disable-root-access. this corrects that (same as latest ncurses)
+--
+diff --git a/configure b/configure
+index 4c39d24..a8e683e 100755
+--- a/configure
++++ b/configure
+@@ -9501,9 +9501,9 @@ EOF
+ echo "$as_me:9501: checking if you want to permit setuid programs to access all files" >&5
+ echo $ECHO_N "checking if you want to permit setuid programs to access all files... $ECHO_C" >&6
+
+-# Check whether --enable-root-environ or --disable-root-environ was given.
+-if test "${enable_root_environ+set}" = set; then
+- enableval="$enable_root_environ"
++# Check whether --enable-root-access or --disable-root-access was given.
++if test "${enable_root_access+set}" = set; then
++ enableval="$enable_root_access"
+ with_root_access=$enableval
+ else
+ with_root_access=yes
diff --git a/main/ncurses/root-environ-only-setuid.patch b/main/ncurses/root-environ-only-setuid.patch
new file mode 100644
index 00000000000..e786dd70281
--- /dev/null
+++ b/main/ncurses/root-environ-only-setuid.patch
@@ -0,0 +1,35 @@
+Patch-Source: https://sources.debian.org/src/ncurses/6.4-4/debian/patches/debian-env-access.diff/
+we use this to patch CVE-2023-29491,
+by making disable-root-environ functionally equivalent to disable-setuid-environ
+(which only exists in latest ncurses git).
+
+that new option fixes the issue.
+--
+Author: Sven Joachim <svenjoac@gmx.de>
+Description: Change the --disable-root-environ configure option behavior
+ By default, the --disable-root-environ option forbids program run by
+ the superuser to load custom terminfo entries. This patch changes
+ that to only restrict programs running with elevated privileges,
+ matching the behavior of the --disable-setuid-environ option
+ introduced in the 20230423 upstream patchlevel.
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034372#29
+Bug: https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00018.html
+Forwarded: not-needed
+Last-Update: 2023-05-01
+
+---
+ ncurses/tinfo/access.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/ncurses/tinfo/access.c
++++ b/ncurses/tinfo/access.c
+@@ -215,8 +215,6 @@ _nc_env_access(void)
+
+ if (is_elevated()) {
+ result = FALSE;
+- } else if ((getuid() == ROOT_UID) || (geteuid() == ROOT_UID)) {
+- result = FALSE;
+ }
+ return result;
+ }
+