Bug 2053151 (CVE-2022-0563)

Summary: CVE-2022-0563 util-linux: partial disclosure of arbitrary files in chfn and chsh when compiled with libreadline
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bdettelb, caswilli, dhalasz, fjansen, jburrell, jonathan, jwong, kaycoth, kzak, micjohns, psegedy, sthirugn, vkrizan, vkumar, vmugicag
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: util-linux 2.37.4 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel’s util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2054355, 2054356, 2054357, 2054358, 2055306, 2055307    
Bug Blocks: 2052148, 2053163    

Description Mauro Matteo Cascella 2022-02-10 15:51:12 UTC 
A flaw was found in util-linux's chfn/chsh utilities when compiled with readline support. The readline library accepts an INPUTRC parameter as an environment variable. Passing this environment variable causes readline to load the file in the chfn process, which is running as UID 0. Parsing this file will lead to errors being printed to standard output when reading lines that begin with certain strings such as "-" and lines that do not contain an expected character. These error messages *contain parts of the file*, which is the core of the issue. An unprivileged user could use this flaw to read root-owned files, potentially leading to privilege escalation.

References:
https://blog.trailofbits.com/2023/02/16/suid-logic-bug-linux-readline/
https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w@ws.net.home/T/#u
Comment 2 Mauro Matteo Cascella 2022-02-14 19:07:31 UTC 
Created util-linux tracking bugs for this issue:

Affects: fedora-all [bug 2054355]
Comment 5 Mauro Matteo Cascella 2022-02-14 19:23:50 UTC 
Upstream commit:
https://github.com/util-linux/util-linux/commit/faa5a3a83ad0cb5e2c303edbfd8cd823c9d94c17