From ${URL} : It was found that malicious user can leak some information about arbitrary files by providing arbitrary value for INPUTRC, since the target application parses the INPUTRC file with the target user's privileges. This kind of attack is in current version of readline limited to only timing attacks and leaks of line content matching a very particular format. It is also possible to cause segmentation fault in the target application by having INPUTRC specify a file with an $include directive for itself. Upstream bug: https://lists.gnu.org/archive/html/bug-readline/2016-05/msg00009.html @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Update from See Also [1]: CVE Assignment: (CVE-2016-7091) http://seclists.org/oss-sec/2016/q3/376
I don't think our sudo config ever had INPUTRC in env_keep. The segfault is also not reproducible anymore. As per the oss-security message, it's not really clare if this was ever a proper vulnerability, or that it affected us. Thanks to ajak for checking this out.
