Bug 2211666

Summary: Ignore TERMINFO and HOME environment variables in setuid binaries
Product: Red Hat Enterprise Linux 9 Reporter: Miroslav Lichvar <mlichvar>
Component: ncursesAssignee: Miroslav Lichvar <mlichvar>
Status: CLOSED ERRATA QA Contact: Ondrej Mejzlik <omejzlik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.1CC: omejzlik
Target Milestone: rcKeywords: AutoVerified, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ncurses-6.2-10.20210508.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-11-07 08:56:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Miroslav Lichvar 2023-06-01 11:46:02 UTC 
Description of problem:
ncurses uses the TERMINFO and HOME environment variables to search for terminfo entries. If there is a bug in parsing or handling (e.g. CVE-2023-29491), it can be exploited for setuid applications.

ncurses has configure option --disable-root-environ to not use there variables when running as root.

Consider building ncurses with this option to avoid this class of security issues.

How reproducible:
always

Steps to Reproduce:
1. TERMINFO="/tmp/terminfo" strace bash -i -c true |& grep terminfo

Actual results:
stat("/tmp/terminfo", 0x55b8e99c2900)   = -1 ENOENT (No such file or directory)
stat("/root/.terminfo", 0x55b8e99c2900) = -1 ENOENT (No such file or directory)
stat("/etc/terminfo", {st_mode=S_IFDIR|0755, st_size=6, ...}) = 0
stat("/usr/share/terminfo", {st_mode=S_IFDIR|0755, st_size=195, ...}) = 0
access("/etc/terminfo/s/screen", R_OK)  = -1 ENOENT (No such file or directory)
access("/usr/share/terminfo/s/screen", R_OK) = 0
openat(AT_FDCWD, "/usr/share/terminfo/s/screen", O_RDONLY) = 3


Expected results:
No access to /tmp/terminfo and /root/.terminfo is observed

Additional info:
Comment 10 Miroslav Lichvar 2023-08-21 14:07:34 UTC 
The solution was changed to ignore the TERMINFO and HOME variables only for setuid, setgid, or capability binaries. The root user will still be able to use its own private terminfo.
Comment 16 errata-xmlrpc 2023-11-07 08:56:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: ncurses security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:6698