Summary: | <sys-apps/util-linux-2.37.4: Partial disclosure of arbitrary files in chfn and chsh when compiled with libreadline | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | IN_PROGRESS --- | ||
Severity: | minor | CC: | base-system, into-the-trash-it-goes, sam |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [glsa?] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 833367 | ||
Bug Blocks: |
Description
Sam James
![]() ![]() ![]() ![]() The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bd7843850e85f86958a900d7722cb56aa9b5bec1 commit bd7843850e85f86958a900d7722cb56aa9b5bec1 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-02-14 22:55:23 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-02-14 23:03:37 +0000 sys-apps/util-linux: add 2.37.4 Bug: https://bugs.gentoo.org/833365 Signed-off-by: Sam James <sam@gentoo.org> sys-apps/util-linux/Manifest | 1 + sys-apps/util-linux/util-linux-2.37.4.ebuild | 333 +++++++++++++++++++++++++++ 2 files changed, 334 insertions(+) Please cleanup Activity on the bug made me realise the connection wrt chfn & sys-apps/shadow. Indeed: ``` $ grep -rsin chfn util-linux-2.38.1-r2.ebuild:226: --disable-chfn-chsh util-linux-2.38.1.ebuild:243: --disable-chfn-chsh util-linux-9999.ebuild:226: --disable-chfn-chsh util-linux-2.37.4.ebuild:189: --disable-chfn-chsh ``` I don't think this bug ever affected Gentoo, modulo older versions doing it (not checked, so I'll leave open until someone has verified it). |