git.ipfire.org Git - thirdparty/openembedded/openembedded-core.git/commit

author	virendra thakur <thakur.virendra1810@gmail.com>
	Tue, 6 Feb 2024 12:31:04 +0000 (18:01 +0530)
committer	Steve Sakoman <steve@sakoman.com>
	Mon, 12 Feb 2024 14:55:54 +0000 (04:55 -1000)
commit	041433f0767ae9112f6a74a7d7c93ce9b411792c
tree	26b99031da2f752aabc3c680564a1190626d8c42	tree
parent	bff621d5399e5ff2930d21f403bb2f274febd2e4	commit \| diff

ncurses: Fix CVE-2023-29491

memory corruption when processing malformed terminfo data entries
loaded by setuid/setgid programs

CVE-2023-29491.patch change the --disable-root-environ configure option
behavior.
set --disable-root-environ in configuration options.

--disable-root-environ option with a few additional changes
to the code allows us to mitigate CVE-2023-29491 and avoid
other issues that involve the possibility of malicious use of
environment variables through setuid applications, and, therefore,
it was the fix chosen in order to resolve this vulnerability.

Reference:
https://ubuntu.com/security/CVE-2023-29491
https://launchpad.net/ubuntu/+source/ncurses/6.2-0ubuntu2.1

Signed-off-by: virendra thakur <virendrak@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

meta/recipes-core/ncurses/files/CVE-2023-29491.patch	[new file with mode: 0644]	blob
meta/recipes-core/ncurses/ncurses_6.2.bb		diff \| blob \| blame \| history