Opened 10 months ago
Closed 10 months ago
#5416 closed enhancement (fixed)
ncurses-6.4-20230520 (fix CVE-2023-29491)
| Reported by: | Xi Ruoyao | Owned by: | Xi Ruoyao |
|---|---|---|---|
| Priority: | high | Milestone: | 12.1 |
| Component: | Book | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.
In BLFS screen is a setuid executable and it uses ncurses, so we need update ncurses to a fixed version. Arch and Fedora are using 6.4-20230520, which can be downloaded from https://ncurses.scripts.mit.edu/?p=ncurses.git;a=snapshot;h=e762b1bf39c1080e4155e0a592f22452130bdfc6;sf=tgz but we need to repackage it & upload to anduin.
Change History (4)
comment:1 by , 10 months ago
comment:2 by , 10 months ago
I've uploaded the tarball to https://anduin.linuxfromscratch.org/LFS/ncurses-6.4-20230520.tar.xz.
comment:3 by , 10 months ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
We have a dozen of tickets now (including 3 security fixes) and Linux 6.7.1 is out. And we better do an update before Feb to settle other things down before new Binutils and Glibc.
comment:4 by , 10 months ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Fixed: Package updates
SA 12.0-076.
Some other distros are configuring ncurses with
--disable-root-access --disable-setuid-environoptions as a precaution, but they are not needed to fix this specific vulnerability. Not sure if we should use them.