diff options
author | psykose <alice@ayaya.dev> | 2023-05-27 07:47:35 +0000 |
---|---|---|
committer | psykose <alice@ayaya.dev> | 2023-05-27 09:49:44 +0200 |
commit | 776cc4e9d3d71d1c69efe4f4a5057c9eacb3c45e (patch) | |
tree | 4aba5ae217d6aa78aa64706875388ae28395dc1c | |
parent | b0a82f57c824f38a0a863b187839846ce277f359 (diff) | |
download | aports-3.16-stable.tar.gz aports-3.16-stable.tar.bz2 aports-3.16-stable.tar.xz |
main/ncurses: fix CVE-2023-294913.16-stable
ref #14915
-rw-r--r-- | main/ncurses/APKBUILD | 12 | ||||
-rw-r--r-- | main/ncurses/fix-configure-root-args-option.patch | 19 | ||||
-rw-r--r-- | main/ncurses/root-environ-only-setuid.patch | 35 |
3 files changed, 64 insertions, 2 deletions
diff --git a/main/ncurses/APKBUILD b/main/ncurses/APKBUILD index c03921ed4c7..324d0791e0c 100644 --- a/main/ncurses/APKBUILD +++ b/main/ncurses/APKBUILD @@ -2,7 +2,7 @@ pkgname=ncurses pkgver=6.3_p20220521 _ver=${pkgver/_p/-} -pkgrel=0 +pkgrel=1 pkgdesc="Console display library" url="https://invisible-island.net/ncurses/" arch="all" @@ -11,10 +11,15 @@ license="MIT" makedepends_build="ncurses" subpackages="$pkgname-static $pkgname-dev $pkgname-doc $pkgname-libs $pkgname-terminfo-base:base:noarch $pkgname-terminfo:terminfo:noarch" -source="https://invisible-mirror.net/archives/ncurses/current/ncurses-$_ver.tgz" +source="https://invisible-mirror.net/archives/ncurses/current/ncurses-$_ver.tgz + fix-configure-root-args-option.patch + root-environ-only-setuid.patch + " builddir="$srcdir"/ncurses-$_ver # secfixes: +# 6.3_p20220521-r1: +# - CVE-2023-29491 # 6.3_p20220416-r0: # - CVE-2022-29458 # 6.2_p20200530-r0: @@ -34,6 +39,7 @@ build() { --without-ada \ --without-tests \ --disable-termcap \ + --disable-root-environ \ --disable-rpath-hack \ --disable-stripping \ --with-pkg-config-libdir=/usr/lib/pkgconfig \ @@ -121,4 +127,6 @@ static() { sha512sums=" bd52e79fee39c223f5a50ae308e842bdf54dcc32ca66c2181379c6cb46b7ad05300ba0a900432de333c353f8e5781e52a9e532f285cf0ccb1231e8abc3ca0412 ncurses-6.3-20220521.tgz +a075e0f0ed1778466f8da58bed279f5603ce3676afeb5345c228d4c89a42a28755d6a6f9ddcce5c4a364e6b020bf021a8aa63802fa781829c63ef0fdb9fd41c1 fix-configure-root-args-option.patch +cd0bcf43cb8bc54b2a0189ae20b106a8545e6e3008782f1faa9ea341ac8b05305f5870d6217dbd33009876d32ce3dcc14fc454df4be234187528db27d1351432 root-environ-only-setuid.patch " diff --git a/main/ncurses/fix-configure-root-args-option.patch b/main/ncurses/fix-configure-root-args-option.patch new file mode 100644 index 00000000000..970ca1f0667 --- /dev/null +++ b/main/ncurses/fix-configure-root-args-option.patch @@ -0,0 +1,19 @@ +disable-root-environ mistakenly also sets disable-root-access. this corrects that (same as latest ncurses) +-- +diff --git a/configure b/configure +index 4c39d24..a8e683e 100755 +--- a/configure ++++ b/configure +@@ -9501,9 +9501,9 @@ EOF + echo "$as_me:9501: checking if you want to permit setuid programs to access all files" >&5 + echo $ECHO_N "checking if you want to permit setuid programs to access all files... $ECHO_C" >&6 + +-# Check whether --enable-root-environ or --disable-root-environ was given. +-if test "${enable_root_environ+set}" = set; then +- enableval="$enable_root_environ" ++# Check whether --enable-root-access or --disable-root-access was given. ++if test "${enable_root_access+set}" = set; then ++ enableval="$enable_root_access" + with_root_access=$enableval + else + with_root_access=yes diff --git a/main/ncurses/root-environ-only-setuid.patch b/main/ncurses/root-environ-only-setuid.patch new file mode 100644 index 00000000000..e786dd70281 --- /dev/null +++ b/main/ncurses/root-environ-only-setuid.patch @@ -0,0 +1,35 @@ +Patch-Source: https://sources.debian.org/src/ncurses/6.4-4/debian/patches/debian-env-access.diff/ +we use this to patch CVE-2023-29491, +by making disable-root-environ functionally equivalent to disable-setuid-environ +(which only exists in latest ncurses git). + +that new option fixes the issue. +-- +Author: Sven Joachim <svenjoac@gmx.de> +Description: Change the --disable-root-environ configure option behavior + By default, the --disable-root-environ option forbids program run by + the superuser to load custom terminfo entries. This patch changes + that to only restrict programs running with elevated privileges, + matching the behavior of the --disable-setuid-environ option + introduced in the 20230423 upstream patchlevel. +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034372#29 +Bug: https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00018.html +Forwarded: not-needed +Last-Update: 2023-05-01 + +--- + ncurses/tinfo/access.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/ncurses/tinfo/access.c ++++ b/ncurses/tinfo/access.c +@@ -215,8 +215,6 @@ _nc_env_access(void) + + if (is_elevated()) { + result = FALSE; +- } else if ((getuid() == ROOT_UID) || (geteuid() == ROOT_UID)) { +- result = FALSE; + } + return result; + } + |