It was found that malicious user can leak some information about arbitrary files by providing arbitrary value for INPUTRC, since the target application parses the INPUTRC file with the target user's privileges. This kind of attack is in current version of readline limited to only timing attacks and leaks of line content matching a very particular format, but the next release will feature enhanced error reporting, making the disclosure more dangerous. It is also possible to cause segmentation fault through stack exhaustion in the target application by having INPUTRC specify a file with an $include directive for itself. RHEL and Fedora by default include INPUTRC in /etc/sudoers, exposing this issue to users of the default sudo configuration. INPUTRC should not be included in "env_keep" at all, or else somehow restricted to non-restricted shells (ie /bin/sh, /bin/bash). Upstream bug: https://lists.gnu.org/archive/html/bug-readline/2016-05/msg00009.html
Created readline tracking bugs for this issue: Affects: fedora-all [bug 1339936]
Created mingw-readline tracking bugs for this issue: Affects: fedora-all [bug 1339938]
Created compat-readline5 tracking bugs for this issue: Affects: fedora-all [bug 1339937]
Created sudo tracking bugs for this issue: Affects: fedora-all [bug 1340701]
sudo-1.8.15-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Acknowledgements: Name: Grisha Levit
sudo-1.8.15-2.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
sudo-1.8.16-4.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
CVE Assignment: http://seclists.org/oss-sec/2016/q3/376
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:2593 https://rhn.redhat.com/errata/RHSA-2016-2593.html