!58 fix CVE-2023-29491
From: @yangl777 Reviewed-by: @yanan-rock Signed-off-by: @yanan-rock
This commit is contained in:
openeuler-ci-bot
Gitee
commit
afc8619e1c
43
backport-CVE-2023-29491-mitigation.patch
Normal file
43
backport-CVE-2023-29491-mitigation.patch
Normal file
@ -0,0 +1,43 @@
|
||||
Backport of:
|
||||
|
||||
Author: Sven Joachim <svenjoac@gmx.de>
|
||||
Description: Change the --disable-root-environ configure option behavior
|
||||
By default, the --disable-root-environ option forbids program run by
|
||||
the superuser to load custom terminfo entries. This patch changes
|
||||
that to only restrict programs running with elevated privileges,
|
||||
matching the behavior of the --disable-setuid-environ option
|
||||
introduced in the 20230423 upstream patchlevel.
|
||||
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034372#29
|
||||
Bug: https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00018.html
|
||||
Forwarded: not-needed
|
||||
Last-Update: 2023-05-01
|
||||
|
||||
---
|
||||
ncurses/tinfo/access.c | 2 --
|
||||
1 file changed, 2 deletions(-)
|
||||
|
||||
Index: ncurses-6.2/ncurses/tinfo/access.c
|
||||
===================================================================
|
||||
--- ncurses-6.2.orig/ncurses/tinfo/access.c
|
||||
+++ ncurses-6.2/ncurses/tinfo/access.c
|
||||
@@ -171,15 +171,16 @@ _nc_is_file_path(const char *path)
|
||||
NCURSES_EXPORT(int)
|
||||
_nc_env_access(void)
|
||||
{
|
||||
+ int result = TRUE;
|
||||
+
|
||||
#if HAVE_ISSETUGID
|
||||
if (issetugid())
|
||||
- return FALSE;
|
||||
+ result = FALSE;
|
||||
#elif HAVE_GETEUID && HAVE_GETEGID
|
||||
if (getuid() != geteuid()
|
||||
|| getgid() != getegid())
|
||||
- return FALSE;
|
||||
+ result = FALSE;
|
||||
#endif
|
||||
- /* ...finally, disallow root */
|
||||
- return (getuid() != ROOT_UID) && (geteuid() != ROOT_UID);
|
||||
+ return result;
|
||||
}
|
||||
#endif
|
||||
11
ncurses.spec
11
ncurses.spec
@ -1,7 +1,7 @@
|
||||
%global revision 20200411
|
||||
Name: ncurses
|
||||
Version: 6.2
|
||||
Release: 3
|
||||
Release: 4
|
||||
Summary: Terminal control library
|
||||
License: MIT
|
||||
URL: https://invisible-island.net/ncurses/ncurses.html
|
||||
@ -14,6 +14,7 @@ Patch12: ncurses-kbs.patch
|
||||
|
||||
Patch13: backport-CVE-2021-39537-add-check-for-end-of-string-in-cvtchar-to-handle-a-malformed.patch
|
||||
Patch14: backport-CVE-2022-29458.patch
|
||||
Patch15: backport-CVE-2023-29491-mitigation.patch
|
||||
|
||||
BuildRequires: gcc gcc-c++ gpm-devel pkgconfig
|
||||
|
||||
@ -84,7 +85,7 @@ done
|
||||
|
||||
%build
|
||||
common_options="--enable-colorfgbg --enable-hard-tabs --enable-overwrite \
|
||||
--enable-pc-files --enable-xmc-glitch --disable-wattr-macros \
|
||||
--enable-pc-files --enable-xmc-glitch --disable-wattr-macros --disable-root-environ \
|
||||
--with-cxx-shared --with-ospeed=unsigned \
|
||||
--with-pkg-config-libdir=%{_libdir}/pkgconfig \
|
||||
--with-shared \
|
||||
@ -224,6 +225,12 @@ xz NEWS
|
||||
%{_mandir}/man7/*
|
||||
|
||||
%changelog
|
||||
* Mon Jul 03 2023 yanglu <yanglu72@h-partners.com> - 6.2-4
|
||||
- Type:CVE
|
||||
- CVE:CVE-2023-29491
|
||||
- SUG:NA
|
||||
- DESC:fix CVE-2023-29491
|
||||
|
||||
* Thu Apr 28 2022 gaihuiying <eaglegai@163.com> - 6.2-3
|
||||
- Type:CVE
|
||||
- CVE:CVE-2022-29458
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user