Wow, this bug must have been in ncurses for decades. Yikes.
However, I'm at a loss to think of any setuid ncurses program?? Seems to have warranted a 7.8 severity though.
https://nvd.nist.gov/vuln/detail/CVE-2023-29491
ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.
Begin forwarded message:
Date: Wed, 31 Jan 2024 01:42:30 +0000 (UTC) From: updates@fedoraproject.org To: package-announce@lists.fedoraproject.org Subject: [SECURITY] Fedora 38 Update: ncurses-6.4-7.20230520.fc38
-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2024-96090dafaf 2024-01-31 01:41:22.934193 --------------------------------------------------------------------------------
Name : ncurses -------------------------------------------------------------------------------- Update Information:
Update to newer ncurses version, which fixes CVE-2023-29491 and CVE-2023-50495. -------------------------------------------------------------------------------- ChangeLog:
* Tue Aug 22 2023 Miroslav Lichvar mlichvar@redhat.com 6.4-7.20230520 - ignore TERMINFO and HOME only if setuid/setgid/capability * Thu Jul 20 2023 Fedora Release Engineering releng@fedoraproject.org - 6.4-6.20230520 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild * Tue Jun 27 2023 Debarshi Ray rishi@fedoraproject.org 6.4-5.20230520 - move foot entries to -base (#2217982) * Mon May 22 2023 Miroslav Lichvar mlichvar@redhat.com 6.4-4.20230520 - update to 6.4-20230520 - build with options disabling root file access and environment -------------------------------------------------------------------------------- References:
[ 1 ] Bug #2191704 - CVE-2023-29491 ncurses: Local users can trigger security-relevant memory corruption via malformed data https://bugzilla.redhat.com/show_bug.cgi?id=2191704 [ 2 ] Bug #2254244 - CVE-2023-50495 ncurses: segmentation fault via _nc_wrap_entry() https://bugzilla.redhat.com/show_bug.cgi?id=2254244
Anyone who uses the idiom "sudo vim file" (possibly even "sudoedit file"?) could easily be hit. Well, once someone manages to populate their ~/.terminfo or $TERM or $TERMINFO with malicious information, which I'd say is actually the harder part. Although given the number of people who will happily do "curl -O - http://.... | bash" maybe not so hard after all. -Adam
-----Original Message----- From: Roundtable roundtable-bounces@muug.ca On Behalf Of Trevor Cordes Sent: Tuesday, January 30, 2024 7:54 PM To: MUUG RndTbl roundtable@muug.ca Subject: [RndTbl] [SECURITY] Fedora 38 Update: ncurses-6.4-7.20230520.fc38
Wow, this bug must have been in ncurses for decades. Yikes.
However, I'm at a loss to think of any setuid ncurses program?? Seems to have warranted a 7.8 severity though.
https://nvd.nist.gov/vuln/detail/CVE-2023-29491
ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.
Begin forwarded message:
Date: Wed, 31 Jan 2024 01:42:30 +0000 (UTC) From: updates@fedoraproject.org To: package-announce@lists.fedoraproject.org Subject: [SECURITY] Fedora 38 Update: ncurses-6.4-7.20230520.fc38
-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2024-96090dafaf 2024-01-31 01:41:22.934193 --------------------------------------------------------------------------------
Name : ncurses -------------------------------------------------------------------------------- Update Information:
Update to newer ncurses version, which fixes CVE-2023-29491 and CVE-2023-50495. -------------------------------------------------------------------------------- ChangeLog:
* Tue Aug 22 2023 Miroslav Lichvar mlichvar@redhat.com 6.4-7.20230520 - ignore TERMINFO and HOME only if setuid/setgid/capability * Thu Jul 20 2023 Fedora Release Engineering releng@fedoraproject.org - 6.4-6.20230520 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild * Tue Jun 27 2023 Debarshi Ray rishi@fedoraproject.org 6.4-5.20230520 - move foot entries to -base (#2217982) * Mon May 22 2023 Miroslav Lichvar mlichvar@redhat.com 6.4-4.20230520 - update to 6.4-20230520 - build with options disabling root file access and environment -------------------------------------------------------------------------------- References:
[ 1 ] Bug #2191704 - CVE-2023-29491 ncurses: Local users can trigger security-relevant memory corruption via malformed data https://bugzilla.redhat.com/show_bug.cgi?id=2191704 [ 2 ] Bug #2254244 - CVE-2023-50495 ncurses: segmentation fault via _nc_wrap_entry() https://bugzilla.redhat.com/show_bug.cgi?id=2254244 _______________________________________________ Roundtable mailing list Roundtable@muug.ca https://muug.ca/mailman/listinfo/roundtable
On 2024-01-31 Adam Thompson wrote:
Anyone who uses the idiom "sudo vim file" (possibly even "sudoedit file"?) could easily be hit. Well, once someone manages to populate their ~/.terminfo or $TERM or $TERMINFO with malicious information, which I'd say is actually the harder part. Although given the number of people who will happily do "curl -O - http://.... | bash" maybe not so hard after all. -Adam
Ah yes, completely forgot the editor angle. Doh. That's a scary thought. I guess you really should limit what you run as root... having a hole like this in ncurses is almost as bad as having it in stdlib!
The terminfo requirements of the hack would mean the most likely vector would have to be someone who already has local system access? Other than your curl example, it might be hard to use this remotely.
Still, they gave it 7.8... which isn't often. Maybe there are more angles we haven't spotted yet.
-
Adam Thompson -
Trevor Cordes