'[oss-security] RE: [EXTERNAL] Re: [oss-security] ncurses fixes upstream'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] RE: [EXTERNAL] Re: [oss-security] ncurses fixes upstream
From:       "Jonathan Bar Or (JBO)" <jobaror () microsoft ! com>
Date:       2023-04-19 16:55:06
Message-ID: MW2PR00MB0444E2AA4D31DB0021B8AE2FA862A () MW2PR00MB0444 ! namprd00 ! prod ! outlook ! com
[Download RAW message or body]

Yes, now that the cat is out of the bag there's no point - you can find some POCs here (not \
every find is covered by a POC, FYI): \
https://drive.google.com/drive/u/0/folders/1XZiHbH7W7is8cwTu7DKrpwBTYuYfRZqE

Note not all of them work on Linux - some are macOS focused too.

As for Taviso's remark - obviously using "iprog", "rf" or "if" capabilities can be used \
maliciously if an attacker is able to affect root's terminfo files (directly or with env-vars), \
but those capabilities are only used by a bunch of programs (e.g. reset, tput and others). \
Normally putting an "iprog" and calling another ncurses using binary (e.g. top) won't run that \
program. To be honest, we focused on EoP scenarios, and specifically macOS. macOS is the most \
sensitive here, since "top" is a SUID binary and doesn't sanitize TERMINFO (or HOME, which can \
be used too). The bus we found are several memory corruption issues that happen during terminfo \
db parsing, as well as ncurses functions (e.g. tparm).

JBO

-----Original Message-----
From: Carlos López <clopez@suse.de> 
Sent: Wednesday, April 19, 2023 8:11 AM
To: Jonathan Bar Or (JBO) <jobaror@microsoft.com>
Cc: oss-security@lists.openwall.com
Subject: [EXTERNAL] Re: [oss-security] ncurses fixes upstream

[You don't often get email from clopez@suse.de. Learn why this is important at \
https://aka.ms/LearnAboutSenderIdentification ]

Hi,

On 12/4/23 22:40, Jonathan Bar Or (JBO) wrote:
> Hello oss-security,
> 
> Our team has worked with the maintainer of the ncurses library (used by several software \
> packages in Linux) to fix several memory corruption vulnerabilities. They are now fixed at \
> commit 20230408 - see details here  \
> (https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Finv \
> isible-island.net%2Fncurses%2FNEWS.html%23index-t20230408&data=05%7C01 \
> %7Cjobaror%40microsoft.com%7C0102d7187e894898280408db40e85af7%7C72f988 \
> bf86f141af91ab2d7cd011db47%7C1%7C0%7C638175138959984222%7CUnknown%7CTW \
> FpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6 \
> Mn0%3D%7C3000%7C%7C%7C&sdata=uRH%2FEXS1rhbBT9vsPN92PjfwjFw9UNLehU9ksP6 TX8s%3D&reserved=0) A \
> CVE was assigned (CVE-2023-29491) - it's still  under a "reserved" status.

Are there any plans to disclose any proofs of concept to test these issues? From the distro \
side these are not only useful to check which ncurses snapshots we need to fix, but also for \
our QA teams to test the update and detect regressions.

For example, we are not sure if the build option `--disable-root-environ` does anything to \
mitigate the issues.

> How can we ensure those fixes get deployed upstream, in major Linux distributions?
> We've reached out to Arch, RedHat, Canonical and other popular distros independently.
> 
> Thanks!
> JBO

For what is worth, we have not been contacted, as far as I can tell.

Best,
Carlos

--
Carlos López
Security Engineer
SUSE Software Solutions


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic