Version in base suite: 6.2+20201114-2+deb11u1 Base version: ncurses_6.2+20201114-2+deb11u1 Target version: ncurses_6.2+20201114-2+deb11u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/ncurses/ncurses_6.2+20201114-2+deb11u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/n/ncurses/ncurses_6.2+20201114-2+deb11u2.dsc changelog | 14 ++++++++++++++ lib32tinfo6.symbols | 1 + lib64tinfo6.symbols | 1 + libtinfo5.symbols | 1 + libtinfo6.symbols | 1 + patches/debian-env-access.diff | 27 +++++++++++++++++++++++++++ patches/series | 1 + rules | 1 + 8 files changed, 47 insertions(+) diff -Nru ncurses-6.2+20201114/debian/changelog ncurses-6.2+20201114/debian/changelog --- ncurses-6.2+20201114/debian/changelog 2023-02-08 19:16:03.000000000 +0000 +++ ncurses-6.2+20201114/debian/changelog 2023-05-26 18:31:08.000000000 +0000 @@ -1,3 +1,17 @@ +ncurses (6.2+20201114-2+deb11u2) bullseye; urgency=medium + + * Configure with "--disable-root-environ" to disallow loading of + custom terminfo entries in setuid/setgid programs, mitigating the + impact of CVE-2023-29491 (see #1034372). + - Update the symbols files for the newly exported symbol + _nc_env_access. + - New patch debian-env-access.diff, changing the behavior of the + "--disable-root-environ" configure option to not restrict programs + run by the superuser, equivalent to the "--disable-setuid-environ" + option introduced in the 20230423 patchlevel. + + -- Sven Joachim Fri, 26 May 2023 20:31:08 +0200 + ncurses (6.2+20201114-2+deb11u1) bullseye; urgency=medium * New patch CVE-2022-29458.diff: add a limit-check to guard against diff -Nru ncurses-6.2+20201114/debian/lib32tinfo6.symbols ncurses-6.2+20201114/debian/lib32tinfo6.symbols --- ncurses-6.2+20201114/debian/lib32tinfo6.symbols 2021-01-01 09:31:15.000000000 +0000 +++ ncurses-6.2+20201114/debian/lib32tinfo6.symbols 2023-05-26 17:46:17.000000000 +0000 @@ -94,6 +94,7 @@ _nc_curr_col@NCURSES6_TINFO_5.0.19991023 6 _nc_curr_line@NCURSES6_TINFO_5.0.19991023 6 _nc_doalloc@NCURSES6_TINFO_5.0.19991023 6 + _nc_env_access@NCURSES6_TINFO_5.2.20001021 6.2+20201114-2+deb11u2~ _nc_err_abort@NCURSES6_TINFO_5.0.19991023 6 _nc_export_termtype2@NCURSES6_TINFO_6.1.20171230 6.1 _nc_fallback2@NCURSES6_TINFO_6.1.20171230 6.1 diff -Nru ncurses-6.2+20201114/debian/lib64tinfo6.symbols ncurses-6.2+20201114/debian/lib64tinfo6.symbols --- ncurses-6.2+20201114/debian/lib64tinfo6.symbols 2021-01-01 09:31:15.000000000 +0000 +++ ncurses-6.2+20201114/debian/lib64tinfo6.symbols 2023-05-26 17:46:17.000000000 +0000 @@ -94,6 +94,7 @@ _nc_curr_col@NCURSES6_TINFO_5.0.19991023 6 _nc_curr_line@NCURSES6_TINFO_5.0.19991023 6 _nc_doalloc@NCURSES6_TINFO_5.0.19991023 6 + _nc_env_access@NCURSES6_TINFO_5.2.20001021 6.2+20201114-2+deb11u2~ _nc_err_abort@NCURSES6_TINFO_5.0.19991023 6 _nc_export_termtype2@NCURSES6_TINFO_6.1.20171230 6.1 _nc_fallback2@NCURSES6_TINFO_6.1.20171230 6.1 diff -Nru ncurses-6.2+20201114/debian/libtinfo5.symbols ncurses-6.2+20201114/debian/libtinfo5.symbols --- ncurses-6.2+20201114/debian/libtinfo5.symbols 2021-01-01 09:31:15.000000000 +0000 +++ ncurses-6.2+20201114/debian/libtinfo5.symbols 2023-05-26 17:46:17.000000000 +0000 @@ -95,6 +95,7 @@ _nc_curr_col@NCURSES_TINFO_5.0.19991023 6 _nc_curr_line@NCURSES_TINFO_5.0.19991023 6 _nc_doalloc@NCURSES_TINFO_5.0.19991023 6 + _nc_env_access@NCURSES_TINFO_5.2.20001021 6.2+20201114-2+deb11u2~ _nc_err_abort@NCURSES_TINFO_5.0.19991023 6 _nc_fallback@NCURSES_TINFO_5.0.19991023 6 _nc_find_entry@NCURSES_TINFO_5.0.19991023 6 diff -Nru ncurses-6.2+20201114/debian/libtinfo6.symbols ncurses-6.2+20201114/debian/libtinfo6.symbols --- ncurses-6.2+20201114/debian/libtinfo6.symbols 2021-01-01 09:31:15.000000000 +0000 +++ ncurses-6.2+20201114/debian/libtinfo6.symbols 2023-05-26 17:46:17.000000000 +0000 @@ -94,6 +94,7 @@ _nc_curr_col@NCURSES6_TINFO_5.0.19991023 6 _nc_curr_line@NCURSES6_TINFO_5.0.19991023 6 _nc_doalloc@NCURSES6_TINFO_5.0.19991023 6 + _nc_env_access@NCURSES6_TINFO_5.2.20001021 6.2+20201114-2+deb11u2~ _nc_err_abort@NCURSES6_TINFO_5.0.19991023 6 _nc_export_termtype2@NCURSES6_TINFO_6.1.20171230 6.1 _nc_fallback2@NCURSES6_TINFO_6.1.20171230 6.1 diff -Nru ncurses-6.2+20201114/debian/patches/debian-env-access.diff ncurses-6.2+20201114/debian/patches/debian-env-access.diff --- ncurses-6.2+20201114/debian/patches/debian-env-access.diff 1970-01-01 00:00:00.000000000 +0000 +++ ncurses-6.2+20201114/debian/patches/debian-env-access.diff 2023-05-26 17:45:39.000000000 +0000 @@ -0,0 +1,27 @@ +Author: Sven Joachim +Description: Change the --disable-root-environ configure option behavior + By default, the --disable-root-environ option forbids program run by + the superuser to load custom terminfo entries. This patch changes + that to only restrict programs running with elevated privileges, + matching the behavior of the --disable-setuid-environ option + introduced in the 20230423 upstream patchlevel. +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034372#29 +Bug: https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00018.html +Forwarded: not-needed +Last-Update: 2023-05-26 + +--- + ncurses/tinfo/access.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/ncurses/tinfo/access.c ++++ b/ncurses/tinfo/access.c +@@ -185,7 +185,6 @@ _nc_env_access(void) + || getgid() != getegid()) + return FALSE; + #endif +- /* ...finally, disallow root */ +- return (getuid() != ROOT_UID) && (geteuid() != ROOT_UID); ++ return TRUE; + } + #endif diff -Nru ncurses-6.2+20201114/debian/patches/series ncurses-6.2+20201114/debian/patches/series --- ncurses-6.2+20201114/debian/patches/series 2023-01-28 11:16:18.000000000 +0000 +++ ncurses-6.2+20201114/debian/patches/series 2023-05-26 17:45:13.000000000 +0000 @@ -6,3 +6,4 @@ 03-debian-ncursesconfig-omit-L.diff CVE-2022-29458.diff fix_crash_on_very_long_tc-use_clause.diff +debian-env-access.diff diff -Nru ncurses-6.2+20201114/debian/rules ncurses-6.2+20201114/debian/rules --- ncurses-6.2+20201114/debian/rules 2021-01-01 09:31:15.000000000 +0000 +++ ncurses-6.2+20201114/debian/rules 2023-05-26 17:46:17.000000000 +0000 @@ -141,6 +141,7 @@ --without-progs \ $(with_mouse) \ --enable-symlinks \ + --disable-root-environ \ --disable-termcap \ --with-default-terminfo-dir=/etc/terminfo \ --with-terminfo-dirs="/etc/terminfo:/lib/terminfo:/usr/share/terminfo" \