Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1339935 - (CVE-2016-7091) CVE-2016-7091 sudo: Possible info leak via INPUTRC
CVE-2016-7091 sudo: Possible info leak via INPUTRC
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20160524,reported=2...
: Security
Depends On: 1339936 1339937 1339938 1340696 1340697 1340698 1340699 1340700 1340701
Blocks: 1339940
  Show dependency treegraph
 
Reported: 2016-05-26 04:44 EDT by Adam Mariš
Modified: 2018-06-29 18:08 EDT (History)
21 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was discovered that the default sudo configuration preserved the value of INPUTRC from the user's environment, which could lead to information disclosure. A local user with sudo access to a restricted program that uses readline could use this flaw to read content from specially formatted files with elevated privileges provided by sudo.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2593 normal SHIPPED_LIVE Low: sudo security, bug fix, and enhancement update 2016-11-03 08:10:56 EDT

  None (edit)
Description Adam Mariš 2016-05-26 04:44:34 EDT 
It was found that malicious user can leak some information about arbitrary files by providing arbitrary value for INPUTRC, since the target application parses the INPUTRC file with the target user's privileges.

This kind of attack is in current version of readline limited to only timing attacks and leaks of line content matching a very particular format, but the next release will feature enhanced error reporting, making the disclosure more dangerous.  It is also possible to cause segmentation fault through stack exhaustion in the target application by having INPUTRC specify a file with an $include directive for itself.

RHEL and Fedora by default include INPUTRC in /etc/sudoers, exposing this issue to users of the default sudo configuration.  INPUTRC should not be included in "env_keep" at all, or else somehow restricted to non-restricted shells (ie /bin/sh, /bin/bash).

Upstream bug:

https://lists.gnu.org/archive/html/bug-readline/2016-05/msg00009.html
Comment 1 Adam Mariš 2016-05-26 04:45:13 EDT 
Created readline tracking bugs for this issue:

Affects: fedora-all [bug 1339936]
Comment 2 Adam Mariš 2016-05-26 04:45:23 EDT 
Created mingw-readline tracking bugs for this issue:

Affects: fedora-all [bug 1339938]
Comment 3 Adam Mariš 2016-05-26 04:45:33 EDT 
Created compat-readline5 tracking bugs for this issue:

Affects: fedora-all [bug 1339937]
Comment 6 Doran Moppert 2016-05-30 02:20:20 EDT 
Created sudo tracking bugs for this issue:

Affects: fedora-all [bug 1340701]
Comment 11 Fedora Update System 2016-06-04 22:55:11 EDT 
sudo-1.8.15-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 12 Doran Moppert 2016-06-14 21:42:04 EDT 
Acknowledgements:

Name: Grisha Levit
Comment 14 Fedora Update System 2016-06-18 00:19:27 EDT 
sudo-1.8.15-2.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2016-06-18 14:51:46 EDT 
sudo-1.8.16-4.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 17 Doran Moppert 2016-08-25 20:21:26 EDT 
CVE Assignment:

http://seclists.org/oss-sec/2016/q3/376
Comment 18 errata-xmlrpc 2016-11-03 16:32:53 EDT 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2593 https://rhn.redhat.com/errata/RHSA-2016-2593.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.