packages/ncurses
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!58 fix CVE-2023-29491

Browse Source 
From: @yangl777 
Reviewed-by: @yanan-rock 
Signed-off-by: @yanan-rock
This commit is contained in:
openeuler-ci-bot 2023-07-03 06:12:02 +00:00 committed by Gitee
commit afc8619e1c
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 52 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
backport-CVE-2023-29491-mitigation.patch Normal file
View File

@ -0,0 +1,43 @@
Backport of:
Author: Sven Joachim <svenjoac@gmx.de>
Description: Change the --disable-root-environ configure option behavior
By default, the --disable-root-environ option forbids program run by
the superuser to load custom terminfo entries. This patch changes
that to only restrict programs running with elevated privileges,
matching the behavior of the --disable-setuid-environ option
introduced in the 20230423 upstream patchlevel.
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034372#29
Bug: https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00018.html
Forwarded: not-needed
Last-Update: 2023-05-01
---
ncurses/tinfo/access.c | 2 --
1 file changed, 2 deletions(-)
Index: ncurses-6.2/ncurses/tinfo/access.c
===================================================================
--- ncurses-6.2.orig/ncurses/tinfo/access.c
+++ ncurses-6.2/ncurses/tinfo/access.c
@@ -171,15 +171,16 @@ _nc_is_file_path(const char *path)
NCURSES_EXPORT(int)
_nc_env_access(void)
{
+ int result = TRUE;
+
#if HAVE_ISSETUGID
if (issetugid())
- return FALSE;
+ result = FALSE;
#elif HAVE_GETEUID && HAVE_GETEGID
if (getuid() != geteuid()
|| getgid() != getegid())
- return FALSE;
+ result = FALSE;
#endif
- /* ...finally, disallow root */
- return (getuid() != ROOT_UID) && (geteuid() != ROOT_UID);
+ return result;
}
#endif

11
ncurses.spec
View File

@ -1,7 +1,7 @@
%global revision 20200411 %global revision 20200411
Name: ncurses Name: ncurses
Version: 6.2 Version: 6.2
Release: 3 Release: 4
Summary: Terminal control library Summary: Terminal control library
License: MIT License: MIT
URL: https://invisible-island.net/ncurses/ncurses.html URL: https://invisible-island.net/ncurses/ncurses.html
@ -14,6 +14,7 @@ Patch12: ncurses-kbs.patch
Patch13: backport-CVE-2021-39537-add-check-for-end-of-string-in-cvtchar-to-handle-a-malformed.patch Patch13: backport-CVE-2021-39537-add-check-for-end-of-string-in-cvtchar-to-handle-a-malformed.patch
Patch14: backport-CVE-2022-29458.patch Patch14: backport-CVE-2022-29458.patch
Patch15: backport-CVE-2023-29491-mitigation.patch
BuildRequires: gcc gcc-c++ gpm-devel pkgconfig BuildRequires: gcc gcc-c++ gpm-devel pkgconfig
@ -84,7 +85,7 @@ done
%build %build
common_options="--enable-colorfgbg --enable-hard-tabs --enable-overwrite \ common_options="--enable-colorfgbg --enable-hard-tabs --enable-overwrite \
--enable-pc-files --enable-xmc-glitch --disable-wattr-macros \ --enable-pc-files --enable-xmc-glitch --disable-wattr-macros --disable-root-environ \
--with-cxx-shared --with-ospeed=unsigned \ --with-cxx-shared --with-ospeed=unsigned \
--with-pkg-config-libdir=%{_libdir}/pkgconfig \ --with-pkg-config-libdir=%{_libdir}/pkgconfig \
--with-shared \ --with-shared \
@ -224,6 +225,12 @@ xz NEWS
%{_mandir}/man7/* %{_mandir}/man7/*
%changelog %changelog
* Mon Jul 03 2023 yanglu <yanglu72@h-partners.com> - 6.2-4
- Type:CVE
- CVE:CVE-2023-29491
- SUG:NA
- DESC:fix CVE-2023-29491
* Thu Apr 28 2022 gaihuiying <eaglegai@163.com> - 6.2-3 * Thu Apr 28 2022 gaihuiying <eaglegai@163.com> - 6.2-3
- Type:CVE - Type:CVE
- CVE:CVE-2022-29458 - CVE:CVE-2022-29458