Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 930806 - sys-libs/ncurses: consider passing --disable-setuid-environ
Summary: sys-libs/ncurses: consider passing --disable-setuid-environ
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal with 1 vote (vote)
Assignee: Gentoo's Team for Core System packages
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-04-28 03:37 UTC by Sam James
Modified: 2024-04-28 08:31 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-04-28 03:37:23 UTC 
From the ncurses-6.5 release notes [0]:
"""
   There are a few new configure options:

   --disable-setuid-environ
          Compile  with  environment  restriction, so certain environment
          variables  are  not  available when running via a setuid/setgid
          application. These are (for example $TERMINFO) those that allow
          the  search  path  for  the  terminfo  or  termcap  entry to be
          customized.

          A  setuid/setgid application inherits its environment variables
          from  the current user, in contrast to sudo which may limit the
          environment variables that ncurses uses.
"""

We should consider passing --disable-setuid-environ [1] either unconditionally or at least with USE=hardened.

It was added to ncurses after a request by Sven Joachim [2] as a mitigation for CVE-2023-29491 (bug 904247).

Worth noting that MS allude to this risk with TERMINFO in https://www.microsoft.com/en-us/security/blog/2023/09/14/uncursing-the-ncurses-memory-corruption-vulnerabilities-found-in-library/, see also https://blog.trailofbits.com/2023/02/16/suid-logic-bug-linux-readline/.

[0] https://lists.gnu.org/archive/html/info-gnu/2024-04/msg00004.html
[1] https://invisible-island.net/ncurses/INSTALL.html#option:disable-setuid-environ
[2] https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00004.html
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-04-28 03:37:41 UTC 
I think I'll likely chuck this in to 6.5 but I wanted to file this so the reasoning was clear.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-04-28 03:42:32 UTC 
There's also:
* --disable-root-access

    --disable-root-access
        Compile with environment restriction, so most file-access is limited
        when running as root, or via a setuid/setgid application.

* --disable-root-environ

        Compile with environment restriction, so certain environment variables
        are not available when running as root.  These are (for example
        $TERMINFO) those that allow the search path for the terminfo or termcap
        entry to be customized.

        Disabling the root environment variables also disables the setuid
        environment variables by default.  Use the --disable-setuid-environ
        option to modify this behavior.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-04-28 03:52:06 UTC 
(In reply to Sam James from comment #2)
> There's also:
> * --disable-root-access
> 
>     --disable-root-access
>         Compile with environment restriction, so most file-access is limited
>         when running as root, or via a setuid/setgid application.
> 

https://github.com/kovidgoyal/kitty/issues/6842

... so maybe we'll leave it for now, or reserve --disable-root-access + --disable-root-environ for USE=hardened.
Comment 4 Larry the Git Cow gentoo-dev 2024-04-28 04:03:46 UTC 
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ef4afbd75c2c6e8262d2de04930398dfbce1d1bc

commit ef4afbd75c2c6e8262d2de04930398dfbce1d1bc
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-04-28 03:49:27 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-04-28 04:02:12 +0000

    sys-libs/ncurses: tweaks to 6.5
    
    * Cleanup PATCH_DATES as new release means starting anew
    * Cleanup whitespace left over from opaque settings
    * Pass --enable-fvisibility
    * Pass --disable-setuid-environ (bug #930806)
    * Add a TODO wrt gpm/PDEPEND/circular dep
    
    Closes: https://bugs.gentoo.org/930806
    Signed-off-by: Sam James <sam@gentoo.org>

 .../{ncurses-6.5.ebuild => ncurses-6.5-r1.ebuild}  | 85 ++++------------------
 1 file changed, 14 insertions(+), 71 deletions(-)
Comment 5 Ionen Wolkens gentoo-dev 2024-04-28 08:14:29 UTC 
As far as kitty goes, should ideally rely on installing the kitty-terminfo package on the remote distro, which I'd assume users can do if they have root access.

Not to say whether should enable this or not, but I think it's not much of a blocker.

kitty does implement a lot of hacks (including for shell integration) that try to workaround the fact distros haven't setup the files it needs (either local or remotely) that are otherwise unneeded.
Comment 6 Ionen Wolkens gentoo-dev 2024-04-28 08:29:01 UTC 
Albeit, if enabled, it indeed probably wouldn't hurt to have a way to disable it for the few users that really want this. So USE=hardened or something else that could be default-on everywhere could be fine.
Comment 7 Ionen Wolkens gentoo-dev 2024-04-28 08:31:47 UTC 
(In reply to Ionen Wolkens from comment #6)
> Albeit, if enabled, it indeed probably wouldn't hurt to have a way to
> disable it for the few users that really want this. So USE=hardened or
> something else that could be default-on everywhere could be fine.
..then again, I could imagine the place where it may annoy the most people are things are like install cds, and likely wouldn't want it to be a default there.