A flaw was found in util-linux's chfn/chsh utilities when compiled with readline support. The readline library accepts an INPUTRC parameter as an environment variable. Passing this environment variable causes readline to load the file in the chfn process, which is running as UID 0. Parsing this file will lead to errors being printed to standard output when reading lines that begin with certain strings such as "-" and lines that do not contain an expected character. These error messages *contain parts of the file*, which is the core of the issue. An unprivileged user could use this flaw to read root-owned files, potentially leading to privilege escalation.
Created util-linux tracking bugs for this issue:
Affects: fedora-all [bug 2054355]