Anyone who uses the idiom "sudo vim file" (possibly even "sudoedit file"?) could easily be hit. Well, once someone manages to populate their ~/.terminfo or $TERM or $TERMINFO with malicious information, which I'd say is actually the harder part. Although given the number of people who will happily do "curl -O - http://.... | bash" maybe not so hard after all. -Adam
-----Original Message----- From: Roundtable roundtable-bounces@muug.ca On Behalf Of Trevor Cordes Sent: Tuesday, January 30, 2024 7:54 PM To: MUUG RndTbl roundtable@muug.ca Subject: [RndTbl] [SECURITY] Fedora 38 Update: ncurses-6.4-7.20230520.fc38
Wow, this bug must have been in ncurses for decades. Yikes.
However, I'm at a loss to think of any setuid ncurses program?? Seems to have warranted a 7.8 severity though.
https://nvd.nist.gov/vuln/detail/CVE-2023-29491
ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.
Begin forwarded message:
Date: Wed, 31 Jan 2024 01:42:30 +0000 (UTC) From: updates@fedoraproject.org To: package-announce@lists.fedoraproject.org Subject: [SECURITY] Fedora 38 Update: ncurses-6.4-7.20230520.fc38
-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2024-96090dafaf 2024-01-31 01:41:22.934193 --------------------------------------------------------------------------------
Name : ncurses -------------------------------------------------------------------------------- Update Information:
Update to newer ncurses version, which fixes CVE-2023-29491 and CVE-2023-50495. -------------------------------------------------------------------------------- ChangeLog:
* Tue Aug 22 2023 Miroslav Lichvar mlichvar@redhat.com 6.4-7.20230520 - ignore TERMINFO and HOME only if setuid/setgid/capability * Thu Jul 20 2023 Fedora Release Engineering releng@fedoraproject.org - 6.4-6.20230520 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild * Tue Jun 27 2023 Debarshi Ray rishi@fedoraproject.org 6.4-5.20230520 - move foot entries to -base (#2217982) * Mon May 22 2023 Miroslav Lichvar mlichvar@redhat.com 6.4-4.20230520 - update to 6.4-20230520 - build with options disabling root file access and environment -------------------------------------------------------------------------------- References:
[ 1 ] Bug #2191704 - CVE-2023-29491 ncurses: Local users can trigger security-relevant memory corruption via malformed data https://bugzilla.redhat.com/show_bug.cgi?id=2191704 [ 2 ] Bug #2254244 - CVE-2023-50495 ncurses: segmentation fault via _nc_wrap_entry() https://bugzilla.redhat.com/show_bug.cgi?id=2254244 _______________________________________________ Roundtable mailing list Roundtable@muug.ca https://muug.ca/mailman/listinfo/roundtable