A flaw was found in glibc. The realpath function may sometimes return a unexpected value, potentially leading to disclosure of sensitive data.
RHEL 6, 7 and 8 are not affected by this bug as they ship an older version of glibc which does not include the vulnerable code (i.e. realpath_stk() function does not exist).
Created glibc tracking bugs for this issue: Affects: fedora-all [bug 2039674]
Filed upstream: https://sourceware.org/bugzilla/show_bug.cgi?id=28770
I've posted a fix for review: https://patchwork.sourceware.org/project/glibc/patch/20220113055920.3155918-1-siddhesh@sourceware.org/
Upstream commit: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ee8d5e33adb284601c00c94687bc907e10aec9bb