Bugzilla – Bug 1196241
VUL-0: CVE-2022-0563: util-linux: partial disclosure of arbitrary files in chfn and chsh when compiled with libreadline
Last modified: 2023-04-06 10:19:55 UTC
rh#2053151 A flaw was found in util-linux's chfn/chsh utilities when compiled with readline support. The readline library accepts an INPUTRC parameter as an environment variable. Passing this environment variable causes readline to load the file in the chfn process, which is running as UID 0. Parsing this file will lead to errors being printed to standard output when reading lines that begin with certain strings such as "-" and lines that do not contain an expected character. These error messages *contain parts of the file*, which is the core of the issue. An unprivileged user could use this flaw to read root-owned files, potentially leading to privilege escalation. Reference: https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w@ws.net.home/T/#u References: https://bugzilla.redhat.com/show_bug.cgi?id=2053151 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0563
https://github.com/util-linux/util-linux/commit/faa5a3a83ad0cb5e2c303edbfd8cd823c9d94c17
for SLE12* and SLE15* chsh and chfn are provided by shadow, so not affected there.
util-linux: SLE12 SP3 to SP5, SLE15 *, Factory: We explicitly use --disable-chfn-chsh SLE12 SP1 to SP2: We delete them by rm -f %{buildroot}%{_bindir}/{chfn,chsh,newgrp} SLE11 *: The build is disabled by default, requires --enable-login-utils to be enabled. Not used by SUSE. SLE10 *: The target all-putils is not built. => SUSE util-linux is not affected by this bug at all. The chfn/chsh are provided by shadow in recent products. In the old products (SLE10 *, SLE 11 *) it is provided by pwdutils.