diff options
author | Karel Zak <kzak@redhat.com> | 2022-02-10 12:03:17 +0100 |
---|---|---|
committer | Karel Zak <kzak@redhat.com> | 2022-02-14 12:27:40 +0100 |
commit | faa5a3a83ad0cb5e2c303edbfd8cd823c9d94c17 (patch) | |
tree | 530cfd0c317576d1b274cb8c65d1224bcd67b746 /login-utils/Makemodule.am | |
parent | 43485143623b46f54ed3cac13f159566d32c3675 (diff) | |
download | util-linux-faa5a3a83ad0cb5e2c303edbfd8cd823c9d94c17.tar.gz |
chsh, chfn: remove readline support [CVE-2022-0563]
The readline library uses INPUTRC= environment variable to get a path
to the library config file. When the library cannot parse the
specified file, it prints an error message containing data from the
file.
Unfortunately, the library does not use secure_getenv() (or a similar
concept) to avoid vulnerabilities that could occur if set-user-ID or
set-group-ID programs.
Reported-by: Rory Mackie <rory.mackie@trailofbits.com>
Signed-off-by: Karel Zak <kzak@redhat.com>
Diffstat (limited to 'login-utils/Makemodule.am')
-rw-r--r-- | login-utils/Makemodule.am | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/login-utils/Makemodule.am b/login-utils/Makemodule.am index 75c0a6756..2d0547a16 100644 --- a/login-utils/Makemodule.am +++ b/login-utils/Makemodule.am @@ -109,7 +109,7 @@ chfn_chsh_sources = \ login-utils/ch-common.c chfn_chsh_cflags = $(SUID_CFLAGS) $(AM_CFLAGS) chfn_chsh_ldflags = $(SUID_LDFLAGS) $(AM_LDFLAGS) -chfn_chsh_ldadd = libcommon.la $(READLINE_LIBS) +chfn_chsh_ldadd = libcommon.la if CHFN_CHSH_PASSWORD chfn_chsh_ldadd += -lpam |