#5416 closed enhancement (fixed)

ncurses-6.4-20230520 (fix CVE-2023-29491)

Reported by: Xi Ruoyao Owned by: Xi Ruoyao
Priority: high Milestone: 12.1
Component: Book Version: git
Severity: normal Keywords:
Cc:

Description

ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.

In BLFS screen is a setuid executable and it uses ncurses, so we need update ncurses to a fixed version. Arch and Fedora are using 6.4-20230520, which can be downloaded from https://ncurses.scripts.mit.edu/?p=ncurses.git;a=snapshot;h=e762b1bf39c1080e4155e0a592f22452130bdfc6;sf=tgz but we need to repackage it & upload to anduin.

Change History (4)

comment:1 by Xi Ruoyao, 11 months ago

Some other distros are configuring ncurses with --disable-root-access --disable-setuid-environ options as a precaution, but they are not needed to fix this specific vulnerability. Not sure if we should use them.

comment:3 by Xi Ruoyao, 11 months ago

Owner: changed from lfs-book to Xi Ruoyao
Status: newassigned

We have a dozen of tickets now (including 3 security fixes) and Linux 6.7.1 is out. And we better do an update before Feb to settle other things down before new Binutils and Glibc.

comment:4 by Xi Ruoyao, 11 months ago

Resolution: fixed
Status: assignedclosed

Fixed: Package updates

SA 12.0-076.

Note: See TracTickets for help on using tickets.