util-linux.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [ANNOUNCE] util-linux v2.37.4
@ 2022-02-14 11:06 Karel Zak
  0 siblings, 0 replies; only message in thread
From: Karel Zak @ 2022-02-14 11:06 UTC (permalink / raw)
  To: linux-kernel, linux-fsdevel, util-linux

The util-linux release v2.37.4 is available at
Feedback and bug reports, as always, are welcomed.

This release fixes security issue in chsh(1) and chfn(8) when
util-linux compiled with libreadline.


  The readline library uses INPUTRC= environment variable to get a path
  to the library config file. When the library cannot parse the
  specified file, it prints an error message containing data from the

  Unfortunately, the library does not use secure_getenv() (or a similar
  concept), or sanitize the config file path to avoid vulnerabilities that
  could occur if set-user-ID or set-group-ID programs.

Note, this vulnerability has been reproduced on chfn(8), but this command
requires enabled CHFN_RESTRICT setting in /etc/login.defs. This setting 
may be disabled by default.

 Karel Zak  <kzak@redhat.com>

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2022-02-14 11:28 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-02-14 11:06 [ANNOUNCE] util-linux v2.37.4 Karel Zak

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).