From the ncurses-6.5 release notes [0]: """ There are a few new configure options: --disable-setuid-environ Compile with environment restriction, so certain environment variables are not available when running via a setuid/setgid application. These are (for example $TERMINFO) those that allow the search path for the terminfo or termcap entry to be customized. A setuid/setgid application inherits its environment variables from the current user, in contrast to sudo which may limit the environment variables that ncurses uses. """ We should consider passing --disable-setuid-environ [1] either unconditionally or at least with USE=hardened. It was added to ncurses after a request by Sven Joachim [2] as a mitigation for CVE-2023-29491 (bug 904247). Worth noting that MS allude to this risk with TERMINFO in https://www.microsoft.com/en-us/security/blog/2023/09/14/uncursing-the-ncurses-memory-corruption-vulnerabilities-found-in-library/, see also https://blog.trailofbits.com/2023/02/16/suid-logic-bug-linux-readline/. [0] https://lists.gnu.org/archive/html/info-gnu/2024-04/msg00004.html [1] https://invisible-island.net/ncurses/INSTALL.html#option:disable-setuid-environ [2] https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00004.html
I think I'll likely chuck this in to 6.5 but I wanted to file this so the reasoning was clear.
There's also: * --disable-root-access --disable-root-access Compile with environment restriction, so most file-access is limited when running as root, or via a setuid/setgid application. * --disable-root-environ Compile with environment restriction, so certain environment variables are not available when running as root. These are (for example $TERMINFO) those that allow the search path for the terminfo or termcap entry to be customized. Disabling the root environment variables also disables the setuid environment variables by default. Use the --disable-setuid-environ option to modify this behavior.
(In reply to Sam James from comment #2) > There's also: > * --disable-root-access > > --disable-root-access > Compile with environment restriction, so most file-access is limited > when running as root, or via a setuid/setgid application. > https://github.com/kovidgoyal/kitty/issues/6842 ... so maybe we'll leave it for now, or reserve --disable-root-access + --disable-root-environ for USE=hardened.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ef4afbd75c2c6e8262d2de04930398dfbce1d1bc commit ef4afbd75c2c6e8262d2de04930398dfbce1d1bc Author: Sam James <sam@gentoo.org> AuthorDate: 2024-04-28 03:49:27 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-04-28 04:02:12 +0000 sys-libs/ncurses: tweaks to 6.5 * Cleanup PATCH_DATES as new release means starting anew * Cleanup whitespace left over from opaque settings * Pass --enable-fvisibility * Pass --disable-setuid-environ (bug #930806) * Add a TODO wrt gpm/PDEPEND/circular dep Closes: https://bugs.gentoo.org/930806 Signed-off-by: Sam James <sam@gentoo.org> .../{ncurses-6.5.ebuild => ncurses-6.5-r1.ebuild} | 85 ++++------------------ 1 file changed, 14 insertions(+), 71 deletions(-)
As far as kitty goes, should ideally rely on installing the kitty-terminfo package on the remote distro, which I'd assume users can do if they have root access. Not to say whether should enable this or not, but I think it's not much of a blocker. kitty does implement a lot of hacks (including for shell integration) that try to workaround the fact distros haven't setup the files it needs (either local or remotely) that are otherwise unneeded.
Albeit, if enabled, it indeed probably wouldn't hurt to have a way to disable it for the few users that really want this. So USE=hardened or something else that could be default-on everywhere could be fine.
(In reply to Ionen Wolkens from comment #6) > Albeit, if enabled, it indeed probably wouldn't hurt to have a way to > disable it for the few users that really want this. So USE=hardened or > something else that could be default-on everywhere could be fine. ..then again, I could imagine the place where it may annoy the most people are things are like install cds, and likely wouldn't want it to be a default there.