2053151 – (CVE-2022-0563) CVE-2022-0563 util-linux: partial disclosure of arbitrary files in chfn and chsh when compiled with libreadline

Bug 2053151 (CVE-2022-0563) - CVE-2022-0563 util-linux: partial disclosure of arbitrary files in chfn and chsh when compiled with libreadline

Summary: CVE-2022-0563 util-linux: partial disclosure of arbitrary files in chfn and c...

Keywords:
Status:	NEW
Alias:	CVE-2022-0563
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2054355 2054356 2054357 2054358 2055306 2055307
Blocks:	2052148 2053163
TreeView+	depends on / blocked

Reported:	2022-02-10 15:51 UTC by Mauro Matteo Cascella
Modified:	2023-02-22 17:25 UTC (History)
CC List:	17 users (show)
Fixed In Version:	util-linux 2.37.4
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the Linux kernel’s util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation.
Clone Of:
Environment:
Last Closed:

Attachments	(Terms of Use)

Description Mauro Matteo Cascella 2022-02-10 15:51:12 UTC

A flaw was found in util-linux's chfn/chsh utilities when compiled with readline support. The readline library accepts an INPUTRC parameter as an environment variable. Passing this environment variable causes readline to load the file in the chfn process, which is running as UID 0. Parsing this file will lead to errors being printed to standard output when reading lines that begin with certain strings such as "-" and lines that do not contain an expected character. These error messages *contain parts of the file*, which is the core of the issue. An unprivileged user could use this flaw to read root-owned files, potentially leading to privilege escalation.

References:
https://blog.trailofbits.com/2023/02/16/suid-logic-bug-linux-readline/
https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w@ws.net.home/T/#u

Comment 2 Mauro Matteo Cascella 2022-02-14 19:07:31 UTC

Created util-linux tracking bugs for this issue:

Affects: fedora-all [bug 2054355]

Comment 5 Mauro Matteo Cascella 2022-02-14 19:23:50 UTC

Upstream commit:
https://github.com/util-linux/util-linux/commit/faa5a3a83ad0cb5e2c303edbfd8cd823c9d94c17

Note You need to log in before you can comment on or make changes to this bug.