Debian Bug report logs - #1034372
ncurses: CVE-2023-29491

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: submit@bugs.debian.org

Subject: ncurses: CVE-2023-29491

Date: Thu, 13 Apr 2023 20:39:38 +0200

Source: ncurses
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for ncurses.

CVE-2023-29491 was assigned to https://invisible-island.net/ncurses/NEWS.html#index-t20230408

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-29491
    https://www.cve.org/CVERecord?id=CVE-2023-29491

Please adjust the affected versions in the BTS as needed.

Message #14 received at 1034372@bugs.debian.org (full text, mbox, reply):

From: Sven Joachim <svenjoac@gmx.de>

To: Moritz Mühlenhoff <jmm@inutil.org>

Cc: 1034372@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#1034372: ncurses: CVE-2023-29491

Date: Sat, 15 Apr 2023 09:05:25 +0200

On 2023-04-13 20:39 +0200, Moritz Mühlenhoff wrote:

> The following vulnerability was published for ncurses.
>
> CVE-2023-29491 was assigned to https://invisible-island.net/ncurses/NEWS.html#index-t20230408
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2023-29491
>     https://www.cve.org/CVERecord?id=CVE-2023-29491

Security boundaries are only crossed for setuid/setgid programs here,
and we probably do not have many setuid binaries linked to libtinfo in
the distribution (on my system, I could not find any).  So I guess you
probably do not want to issue a DSA here, right?

Gentoo users have noticed a few problems after upgrading to the 20230408
patchlevel[1,2,3], most notably output of openrc being completely
broken.  While we do not have that particular problem because openrc in
Debian is built without ncurses support, I do not currently have an idea
which other packages might show misbehavior.  So I am rather reluctant
to fix this bug before the bookworm release.

Cheers,
       Sven


1. https://bugs.gentoo.org/904247
2. https://bugs.gentoo.org/904263
3. https://bugs.gentoo.org/904277

Message #19 received at 1034372@bugs.debian.org (full text, mbox, reply):

From: Thomas Dickey <dickey@his.com>

To: Sven Joachim <svenjoac@gmx.de>, 1034372@bugs.debian.org

Cc: Moritz Mühlenhoff <jmm@inutil.org>, team@security.debian.org

Subject: Re: Bug#1034372: ncurses: CVE-2023-29491

Date: Sat, 15 Apr 2023 07:27:45 -0400

[Message part 1 (text/plain, inline)]

On Sat, Apr 15, 2023 at 09:05:25AM +0200, Sven Joachim wrote:
> On 2023-04-13 20:39 +0200, Moritz Mühlenhoff wrote:
> 
> > The following vulnerability was published for ncurses.
> >
> > CVE-2023-29491 was assigned to https://invisible-island.net/ncurses/NEWS.html#index-t20230408
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> >
> > [0] https://security-tracker.debian.org/tracker/CVE-2023-29491
> >     https://www.cve.org/CVERecord?id=CVE-2023-29491
> 
> Security boundaries are only crossed for setuid/setgid programs here,
> and we probably do not have many setuid binaries linked to libtinfo in
> the distribution (on my system, I could not find any).  So I guess you
> probably do not want to issue a DSA here, right?
> 
> Gentoo users have noticed a few problems after upgrading to the 20230408
> patchlevel[1,2,3], most notably output of openrc being completely
> broken.  While we do not have that particular problem because openrc in

It was already broken (the "(null)" strings come from its misuse of the
ncurses interface, which will require fixes in OpenRC).  I'm not going
to provide a patch for OpenRC itself - any maintainer should be able to
do _that_.

Today I'll put out the fix for zero-parameter tsl, along with similar minor
improvements, and if nothing else surfaces, use that as the basis for the
security-patch.

> Debian is built without ncurses support, I do not currently have an idea
> which other packages might show misbehavior.  So I am rather reluctant
> to fix this bug before the bookworm release.

Actually, the discussion there should be based on what the disclosure covers.
I'm addressing their concerns as well as I'm able.
 
> Cheers,
>        Sven
> 
> 
> 1. https://bugs.gentoo.org/904247
> 2. https://bugs.gentoo.org/904263
> 3. https://bugs.gentoo.org/904277
> 

-- 
Thomas E. Dickey <dickey@invisible-island.net>
https://invisible-island.net

[signature.asc (application/pgp-signature, inline)]

Message #24 received at 1034372@bugs.debian.org (full text, mbox, reply):

From: Thomas Dickey <dickey@his.com>

To: Sven Joachim <svenjoac@gmx.de>, 1034372@bugs.debian.org, Moritz Mühlenhoff <jmm@inutil.org>, team@security.debian.org

Cc: Thomas Dickey <dickey@his.com>

Subject: Re: Bug#1034372: ncurses: CVE-2023-29491

Date: Tue, 18 Apr 2023 20:15:12 -0400

[Message part 1 (text/plain, inline)]

On Sat, Apr 15, 2023 at 07:27:45AM -0400, Thomas Dickey wrote:
> On Sat, Apr 15, 2023 at 09:05:25AM +0200, Sven Joachim wrote:
> > On 2023-04-13 20:39 +0200, Moritz Mühlenhoff wrote:
> > 
> > > The following vulnerability was published for ncurses.
> > >
> > > CVE-2023-29491 was assigned to https://invisible-island.net/ncurses/NEWS.html#index-t20230408
> > >
> > > If you fix the vulnerability please also make sure to include the
> > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> > >
> > > For further information see:
> > >
> > > [0] https://security-tracker.debian.org/tracker/CVE-2023-29491
> > >     https://www.cve.org/CVERecord?id=CVE-2023-29491
> > 
> > Security boundaries are only crossed for setuid/setgid programs here,
> > and we probably do not have many setuid binaries linked to libtinfo in
> > the distribution (on my system, I could not find any).  So I guess you
> > probably do not want to issue a DSA here, right?
> > 
> > Gentoo users have noticed a few problems after upgrading to the 20230408
> > patchlevel[1,2,3], most notably output of openrc being completely
> > broken.  While we do not have that particular problem because openrc in
> 
> It was already broken (the "(null)" strings come from its misuse of the
> ncurses interface, which will require fixes in OpenRC).  I'm not going
> to provide a patch for OpenRC itself - any maintainer should be able to
> do _that_.
> 
> Today I'll put out the fix for zero-parameter tsl, along with similar minor
> improvements, and if nothing else surfaces, use that as the basis for the
> security-patch.

I had another fix, which works fine.  Except of course for programs which
call tparm without actually reading from the terminal database, and don't
check error returns.  I could digress...

...reflecting on all of this, the low-impact change would be to use the
--disable-root-environ configure option (possibly --disable-root-access
as well).

By the way, the issues that I've been addressing exist in other
implementations.  Have a nice day.

-- 
Thomas E. Dickey <dickey@invisible-island.net>
https://invisible-island.net

[signature.asc (application/pgp-signature, inline)]

Message #29 received at 1034372@bugs.debian.org (full text, mbox, reply):

From: Sven Joachim <svenjoac@gmx.de>

To: Thomas Dickey <dickey@his.com>

Cc: 1034372@bugs.debian.org, Moritz Mühlenhoff <jmm@inutil.org>, team@security.debian.org

Subject: Re: Bug#1034372: ncurses: CVE-2023-29491

Date: Sun, 23 Apr 2023 08:47:34 +0200

On 2023-04-18 20:15 -0400, Thomas Dickey wrote:

> On Sat, Apr 15, 2023 at 07:27:45AM -0400, Thomas Dickey wrote:
>> On Sat, Apr 15, 2023 at 09:05:25AM +0200, Sven Joachim wrote:
>> > 
>> > Security boundaries are only crossed for setuid/setgid programs here,
>> > and we probably do not have many setuid binaries linked to libtinfo in
>> > the distribution (on my system, I could not find any).  So I guess you
>> > probably do not want to issue a DSA here, right?
>> > 
>> > Gentoo users have noticed a few problems after upgrading to the 20230408
>> > patchlevel[1,2,3], most notably output of openrc being completely
>> > broken.  While we do not have that particular problem because openrc in
>> 
>> It was already broken (the "(null)" strings come from its misuse of the
>> ncurses interface, which will require fixes in OpenRC).  I'm not going
>> to provide a patch for OpenRC itself - any maintainer should be able to
>> do _that_.
>> 
>> Today I'll put out the fix for zero-parameter tsl, along with similar minor
>> improvements, and if nothing else surfaces, use that as the basis for the
>> security-patch.
>
> I had another fix, which works fine.  Except of course for programs which
> call tparm without actually reading from the terminal database, and don't
> check error returns.  I could digress...

I am happy to reveal the bugs in theses non-conforming programs after
the bookworm release, but for now this is too intrusive.  We are about
to release Debian 12 within the next two months.

> ...reflecting on all of this, the low-impact change would be to use the
> --disable-root-environ configure option (possibly --disable-root-access
> as well).

The --disable-root-environ option disables _all_ use of custom terminfo
files by the superuser.  This has some side effects.

- At least one package FTBFS[1] because it runs TERMINFO=… tic under
  fakeroot.

- Rescue mode in the non-graphical Debian installer is broken if
  ncurses-term is not installed.  The installer uses an obscure terminal
  emulator called bogl-bterm which sets TERM=bterm, and if that terminfo
  entry is not found on the target system, it copies it to a temporary
  directory and sets TERMINFO accordingly before chrooting into the
  target system.

- Emacs' term.el package sets TERM=eterm-color and TERMINFO to the
  directory where Emacs ships this terminfo entry.  If ncurses-term is
  not installed, running programs as root is broken.

- The sysadmin can no longer use private terminfo files under
  /root/.terminfo and has to install those into the system database
  instead, where they affect everyone.  This might not always be
  desired.

It is because of such issues that I had proposed a new configure option
that only restricts programs running at elevated privileges[2].

Cheers,
       Sven


1. https://bugs.debian.org/1034644
2. https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00004.html

Message #34 received at 1034372@bugs.debian.org (full text, mbox, reply):

From: Sven Joachim <svenjoac@gmx.de>

To: 1034372@bugs.debian.org

Cc: Thomas Dickey <dickey@his.com>, Moritz Mühlenhoff <jmm@inutil.org>, team@security.debian.org

Subject: Re: Bug#1034372: ncurses: CVE-2023-29491

Date: Mon, 01 May 2023 18:58:39 +0200

On 2023-04-23 08:47 +0200, Sven Joachim wrote:

> On 2023-04-18 20:15 -0400, Thomas Dickey wrote:
>
>> On Sat, Apr 15, 2023 at 07:27:45AM -0400, Thomas Dickey wrote:
>>> On Sat, Apr 15, 2023 at 09:05:25AM +0200, Sven Joachim wrote:
>>> > 
>>> > Security boundaries are only crossed for setuid/setgid programs here,
>>> > and we probably do not have many setuid binaries linked to libtinfo in
>>> > the distribution (on my system, I could not find any).  So I guess you
>>> > probably do not want to issue a DSA here, right?
>>> > 
>>> > Gentoo users have noticed a few problems after upgrading to the 20230408
>>> > patchlevel[1,2,3], most notably output of openrc being completely
>>> > broken.  While we do not have that particular problem because openrc in
>>> 
>>> It was already broken (the "(null)" strings come from its misuse of the
>>> ncurses interface, which will require fixes in OpenRC).  I'm not going
>>> to provide a patch for OpenRC itself - any maintainer should be able to
>>> do _that_.
>>> 
>>> Today I'll put out the fix for zero-parameter tsl, along with similar minor
>>> improvements, and if nothing else surfaces, use that as the basis for the
>>> security-patch.
>>
>> I had another fix, which works fine.  Except of course for programs which
>> call tparm without actually reading from the terminal database, and don't
>> check error returns.  I could digress...
>
> I am happy to reveal the bugs in theses non-conforming programs after
> the bookworm release, but for now this is too intrusive.  We are about
> to release Debian 12 within the next two months.
>
>> ...reflecting on all of this, the low-impact change would be to use the
>> --disable-root-environ configure option (possibly --disable-root-access
>> as well).
>
> The --disable-root-environ option disables _all_ use of custom terminfo
> files by the superuser.  This has some side effects.
>
> - At least one package FTBFS[1] because it runs TERMINFO=… tic under
>   fakeroot.
>
> - Rescue mode in the non-graphical Debian installer is broken if
>   ncurses-term is not installed.  The installer uses an obscure terminal
>   emulator called bogl-bterm which sets TERM=bterm, and if that terminfo
>   entry is not found on the target system, it copies it to a temporary
>   directory and sets TERMINFO accordingly before chrooting into the
>   target system.
>
> - Emacs' term.el package sets TERM=eterm-color and TERMINFO to the
>   directory where Emacs ships this terminfo entry.  If ncurses-term is
>   not installed, running programs as root is broken.
>
> - The sysadmin can no longer use private terminfo files under
>   /root/.terminfo and has to install those into the system database
>   instead, where they affect everyone.  This might not always be
>   desired.
>
> It is because of such issues that I had proposed a new configure option
> that only restricts programs running at elevated privileges[2].

Thomas was so kind to provide a new "--disable-setuid-environ" option in
the 20230423 patchlevel which does what I want.  I had looked at
backporting this option, but as that would require changes to multiple
files, and the patches did not apply cleanly without taking some
additional changes from the previous patchlevel first, I decided on a
different route.

By removing two lines in the _nc_env_access() function, the existing
"--disable-root-environ" option becomes functionally equivalent to the
new "--disable-setuid-environ" option, allowing for a rather minimal
patch.  In #1035351 I have asked for the release team's approval.

Cheers,
       Sven

Message #39 received at 1034372-submitter@bugs.debian.org (full text, mbox, reply):

From: Sven Joachim <noreply@salsa.debian.org>

To: 1034372-submitter@bugs.debian.org

Subject: Bug#1034372 marked as pending in ncurses

Date: Mon, 05 Jun 2023 20:14:46 +0000

Control: tag -1 pending

Hello,

Bug #1034372 in ncurses reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/debian/ncurses/-/commit/dd14dc3ff9c25ea44b200b73dea6d4759ce7034f

------------------------------------------------------------------------
Close bug #1034372

CVE-2023-29491 has been addressed in the 20230408 upstream patchlevel,
with some additional fixups in the 20230415 and 20230423 patchlevels.

Closes: #1034372
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1034372

Message #46 received at 1034372-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 1034372-close@bugs.debian.org

Subject: Bug#1034372: fixed in ncurses 6.4+20230603-1

Date: Thu, 15 Jun 2023 17:11:18 +0000

Source: ncurses
Source-Version: 6.4+20230603-1
Done: Sven Joachim <svenjoac@gmx.de>

We believe that the bug you reported is fixed in the latest version of
ncurses, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1034372@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sven Joachim <svenjoac@gmx.de> (supplier of updated ncurses package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 15 Jun 2023 18:34:20 +0200
Source: ncurses
Architecture: source
Version: 6.4+20230603-1
Distribution: experimental
Urgency: low
Maintainer: Craig Small <csmall@debian.org>
Changed-By: Sven Joachim <svenjoac@gmx.de>
Closes: 622286 1028202 1029977 1032708 1032740 1032741 1034372 1034549
Changes:
 ncurses (6.4+20230603-1) experimental; urgency=low
 .
   * New upstream patchlevel.
     - Improve checks for malformed terminfo data (report/analysis by
       Jonathan Bar Or, Michael Pearse, Emanuele Cozzi (CVE-2023-29491,
       Closes: #1034372)).
     - Drop compatibility with obsolete versions of tack, e.g., pre-1.08
       (Closes: #1034549).
   * Drop cherry-picked patches, applied upstream.
   * Configure with "--disable-setuid-environ" instead of
     "--disable-root-environ" and drop patch debian-env-access.diff.
   * Refresh remaining Debian patches.
     - Drop the hunk for screen-base from 02-debian-backspace.diff.
       Upstream sets kbs in screen-base to xterm+kbs now, so this is
       handled via the "--with-xterm-kbs" configure option.
   * Configure with "--disable-root-access" to further restrict programs
     running with elevated privileges.
   * Update symbols files for the new symbols tiparm_s and tiscan_s,
     and the newly exported symbols _nc_safe_fopen and _nc_safe_open3.
   * Remove the ncurses{w,}5-config compatibility symlinks
     (Closes: #1029977).
   * Remove old upstream SHA1 signing key C52048C0C0748FEE from
     debian/upstream/signing-key.asc.
   * Export ARFLAGS = -crv in debian/rules to ensure deterministic static
     libraries (see #1029404).
   * Stop building the empty transitional packages libtinfo-dev
     and libncurses{,w}5-dev (Closes: #1032708, #1032740, #1032741).
   * Move the ncurses-base terminfo files to /usr/share/terminfo
     (Closes: #1028202, #622286).
     - Add a Breaks on cryptsetup-initramfs (<< 2:2.6.1) to ncurses-base
       (see #1028234).
   * Remove various Breaks/Replaces relationships with package versions
     predating buster.
   * Update years in debian/copyright.
Checksums-Sha1:
 445fe97aa6ea9308555b5f6b7f85f6a9e12144a3 4012 ncurses_6.4+20230603-1.dsc
 804970af9fc62bdd9a5f63a44137bb3942b86ab8 3644602 ncurses_6.4+20230603.orig.tar.gz
 0b2bb01be060bf19dd27ab9a3239bc85345992e3 729 ncurses_6.4+20230603.orig.tar.gz.asc
 8db779694d996a97893ee31dccce70edd54f6705 54228 ncurses_6.4+20230603-1.debian.tar.xz
 79673dfe04f26b437a13b7cec34de9edbec188fe 6743 ncurses_6.4+20230603-1_source.buildinfo
Checksums-Sha256:
 14f05be353be96a0e8ef177d8fb4054fc9d785950d84f151781a481fa3d532b0 4012 ncurses_6.4+20230603-1.dsc
 f78c05a7729f0c4a2df26556f288c808f14a7d179d9eb69c99cf9092fb0514ca 3644602 ncurses_6.4+20230603.orig.tar.gz
 76ff73b21766cf5b4ba84f8ea3b41a314c6dcb79573e97f64ed6da07e7f2375f 729 ncurses_6.4+20230603.orig.tar.gz.asc
 7f39384fc626f06597363c218c6e5d19cb07eeda3100adcaa79ba2bfd7961916 54228 ncurses_6.4+20230603-1.debian.tar.xz
 5a6337aba609b01804b8dbf4dd6c9ec4c86b561c847a58dc1dfe621461831315 6743 ncurses_6.4+20230603-1_source.buildinfo
Files:
 25e06ea64ad265a7978e250044419ac7 4012 libs required ncurses_6.4+20230603-1.dsc
 bbdcd0037a373bf66daf0905977bf740 3644602 libs required ncurses_6.4+20230603.orig.tar.gz
 9eebaa8827c6c8a58973313b831349b7 729 libs required ncurses_6.4+20230603.orig.tar.gz.asc
 e77d96ae2052c0dbd92ea83f2b07c4cc 54228 libs required ncurses_6.4+20230603-1.debian.tar.xz
 7d2e514f5223bd4644b44077114ba235 6743 libs required ncurses_6.4+20230603-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKF8heKgv5Jai5p4QOxBucY1rMawFAmSLPigACgkQOxBucY1r
Maz80hAAtFzvK4r3ZPKKu01tZuniKWmyhQ1E+gUfPjYfRgVJoef8cSCjJLuHwyUd
+PlE2+OIAXKjVecwJBqur68VGsdhhcqM+MEG3FQt1SlRGe5noEG4tmoy/ZrPBmBj
5stUmOwdvl0wBdUW4HPgEap9y6dDK4tsB9Xh56VkOdPE+HiQWK7zHYjSPYW9vWdo
bO13LmK0+h/9x+7H4wWNIfJAU+nQ1OUukHxHSifLWKPRR3CP0y6IzTVrGKF9zJb2
24v1GUYJe6evaEUr4LmWQ9Dn8uKNSEtYSLTLydB8qGF2/wGkgN26U0mu68TRCcWy
R+1eU/yi6aby695LKdkKugL28vsb730XLGE+gDhTUsjxF48NEYUCh4adaOmenvgX
1BHhIk8m4pRA/PInkKuYCVsePSGbSqeo9CpI/kS6MiYLisNLKGznQTIY3GgAVtz/
fta+CcuqXrvMeRUrfCkxdo+NRxCVbV6pwa7P09Z58gBvkJ97rBbiiLQsYPdBtS7M
UGEQiqd5spafFwJxouOidigBU4hcTQj4rMFUsQCYK3cuUE/BkDbA8sIAD13q10GS
8+iK3izVG9D+pvAcmXaH6j8NCNQvr33g30Tf6ZJjhu6Ik7aodOFbdV2JNw5uOOGI
42NJMCu/KqabFEFjOuv1oq51OvtOcf4mLzy4W4hp5t2umAcTAso=
=BGlA
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.