[ANNOUNCE] util-linux v2.37.4

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

The util-linux release v2.37.4 is available at
            
  http://www.kernel.org/pub/linux/utils/util-linux/v2.37/
 
Feedback and bug reports, as always, are welcomed.


This release fixes security issue in chsh(1) and chfn(8) when
util-linux compiled with libreadline.

CVE-2022-0563

  The readline library uses INPUTRC= environment variable to get a path
  to the library config file. When the library cannot parse the
  specified file, it prints an error message containing data from the
  file.

  Unfortunately, the library does not use secure_getenv() (or a similar
  concept), or sanitize the config file path to avoid vulnerabilities that
  could occur if set-user-ID or set-group-ID programs.


Note, this vulnerability has been reproduced on chfn(8), but this command
requires enabled CHFN_RESTRICT setting in /etc/login.defs. This setting 
may be disabled by default.


-- 
 Karel Zak  <kzak@xxxxxxxxxx>
 http://karelzak.blogspot.com
[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [NTFS 3]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [NTFS 3]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux