Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 833365 (CVE-2022-0563)

Summary: <sys-apps/util-linux-2.37.4: Partial disclosure of arbitrary files in chfn and chsh when compiled with libreadline
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: base-system, into-the-trash-it-goes, sam
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 833367    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-02-14 22:45:25 UTC 
Description cribbed from Red Hat at https://access.redhat.com/security/cve/cve-2022-0563.

commit 39a81981ac4b8a1f521db550afc117ccab9548cb
Author: Karel Zak <kzak@redhat.com>
Date:   Thu Feb 10 12:03:17 2022 +0100

    chsh, chfn: remove readline support [CVE-2022-0563]
    
    The readline library uses INPUTRC= environment variable to get a path
    to the library config file. When the library cannot parse the
    specified file, it prints an error message containing data from the
    file.
    
    Unfortunately, the library does not use secure_getenv() (or a similar
    concept) to avoid vulnerabilities that could occur if set-user-ID or
    set-group-ID programs.
    
    Reported-by: Rory Mackie <rory.mackie@trailofbits.com>
    Signed-off-by: Karel Zak <kzak@redhat.com>

 login-utils/Makemodule.am |  2 +-
 login-utils/chfn.c        | 14 ++------------
 login-utils/chsh.c        | 43 +++----------------------------------------
 3 files changed, 6 insertions(+), 53 deletions(-)
Comment 1 Larry the Git Cow gentoo-dev 2022-02-14 23:04:02 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bd7843850e85f86958a900d7722cb56aa9b5bec1

commit bd7843850e85f86958a900d7722cb56aa9b5bec1
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-02-14 22:55:23 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-02-14 23:03:37 +0000

    sys-apps/util-linux: add 2.37.4
    
    Bug: https://bugs.gentoo.org/833365
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-apps/util-linux/Manifest                 |   1 +
 sys-apps/util-linux/util-linux-2.37.4.ebuild | 333 +++++++++++++++++++++++++++
 2 files changed, 334 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-18 01:23:08 UTC 
Please cleanup
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-02-18 11:00:14 UTC 
Activity on the bug made me realise the connection wrt chfn & sys-apps/shadow.

Indeed:
```
$ grep -rsin chfn
util-linux-2.38.1-r2.ebuild:226:                        --disable-chfn-chsh
util-linux-2.38.1.ebuild:243:                   --disable-chfn-chsh
util-linux-9999.ebuild:226:                     --disable-chfn-chsh
util-linux-2.37.4.ebuild:189:                   --disable-chfn-chsh
```

I don't think this bug ever affected Gentoo, modulo older versions doing it (not checked, so I'll leave open until someone has verified it).