Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chsh, chfn: remove readline support [CVE-2022-0563]
The readline library uses INPUTRC= environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. Unfortunately, the library does not use secure_getenv() (or a similar concept) to avoid vulnerabilities that could occur if set-user-ID or set-group-ID programs. Reported-by: Rory Mackie <rory.mackie@trailofbits.com> Signed-off-by: Karel Zak <kzak@redhat.com>
- Loading branch information
Showing
3 changed files
with
6 additions
and
53 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters