util-linux: fix CVE-2022-0563

A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4. Backport patch from upstream: faa5a3a83a Patch required slight modifications to apply cleanly to util-linux 2.35.1 (From OE-Core rev: dffbf6301612ca91f6a1c306b9dde754b44912bb) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-04-07 14:02:22 +02:00 · 2022-03-28 08:33:20 -10:00
parent 631df12969
commit 67f1490197
2 changed files with 162 additions and 0 deletions
--- a/meta/recipes-core/util-linux/util-linux/CVE-2022-0563.patch
+++ b/meta/recipes-core/util-linux/util-linux/CVE-2022-0563.patch
@@ -0,0 +1,161 @@
+From faa5a3a83ad0cb5e2c303edbfd8cd823c9d94c17 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Thu, 10 Feb 2022 12:03:17 +0100
+Subject: [PATCH] chsh, chfn: remove readline support [CVE-2022-0563]
+
+The readline library uses INPUTRC= environment variable to get a path
+to the library config file. When the library cannot parse the
+specified file, it prints an error message containing data from the
+file.
+
+Unfortunately, the library does not use secure_getenv() (or a similar
+concept) to avoid vulnerabilities that could occur if set-user-ID or
+set-group-ID programs.
+
+Reported-by: Rory Mackie <rory.mackie@trailofbits.com>
+Signed-off-by: Karel Zak <kzak@redhat.com>
+
+Upstream-status: Backport
+https://github.com/util-linux/util-linux/commit/faa5a3a83ad0cb5e2c303edbfd8cd823c9d94c17
+
+CVE: CVE-2022-0563
+
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+
+---
+ login-utils/Makemodule.am |  2 +-
+ login-utils/chfn.c        | 16 +++------------
+ login-utils/chsh.c        | 42 ++-------------------------------------
+ 3 files changed, 6 insertions(+), 54 deletions(-)
+
+diff --git a/login-utils/Makemodule.am b/login-utils/Makemodule.am
+index fac5bfc..73636af 100644
+--- a/login-utils/Makemodule.am
+++ b/login-utils/Makemodule.am
+@@ -82,7 +82,7 @@ chfn_chsh_sources = \
+ 	login-utils/ch-common.c
+ chfn_chsh_cflags = $(SUID_CFLAGS) $(AM_CFLAGS)
+ chfn_chsh_ldflags = $(SUID_LDFLAGS) $(AM_LDFLAGS)
+-chfn_chsh_ldadd = libcommon.la $(READLINE_LIBS)
+chfn_chsh_ldadd = libcommon.la
+ 
+ if CHFN_CHSH_PASSWORD
+ chfn_chsh_ldadd += -lpam
+diff --git a/login-utils/chfn.c b/login-utils/chfn.c
+index b739555..2f8e44a 100644
+--- a/login-utils/chfn.c
+++ b/login-utils/chfn.c
+@@ -56,11 +56,6 @@
+ # include "auth.h"
+ #endif
+ 
+-#ifdef HAVE_LIBREADLINE
+-# define _FUNCTION_DEF
+-# include <readline/readline.h>
+-#endif
+-
+ struct finfo {
+ 	char *full_name;
+ 	char *office;
+@@ -229,22 +224,17 @@ static char *ask_new_field(struct chfn_control *ctl, const char *question,
+ {
+ 	int len;
+ 	char *buf;
+-#ifndef HAVE_LIBREADLINE
+-	size_t dummy = 0;
+-#endif
+ 
+ 	if (!def_val)
+ 		def_val = "";
+
+ 	while (true) {
+ 		printf("%s [%s]: ", question, def_val);
+ 		__fpurge(stdin);
+-#ifdef HAVE_LIBREADLINE
+-		rl_bind_key('\t', rl_insert);
+-		if ((buf = readline(NULL)) == NULL)
+-#else
+
+ 		if (getline(&buf, &dummy, stdin) < 0)
+-#endif
+ 			errx(EXIT_FAILURE, _("Aborted."));
+
+ 		/* remove white spaces from string end */
+ 		ltrim_whitespace((unsigned char *) buf);
+ 		len = rtrim_whitespace((unsigned char *) buf);
+diff --git a/login-utils/chsh.c b/login-utils/chsh.c
+index a9ebec8..ee6ff87 100644
+--- a/login-utils/chsh.c
+++ b/login-utils/chsh.c
+@@ -58,11 +58,6 @@
+ # include "auth.h"
+ #endif
+ 
+-#ifdef HAVE_LIBREADLINE
+-# define _FUNCTION_DEF
+-# include <readline/readline.h>
+-#endif
+-
+ struct sinfo {
+ 	char *username;
+ 	char *shell;
+@@ -121,33 +116,6 @@ static void print_shells(void)
+ 	endusershell();
+ }
+ 
+-#ifdef HAVE_LIBREADLINE
+-static char *shell_name_generator(const char *text, int state)
+-{
+-	static size_t len;
+-	char *s;
+-
+-	if (!state) {
+-		setusershell();
+-		len = strlen(text);
+-	}
+-
+-	while ((s = getusershell())) {
+-		if (strncmp(s, text, len) == 0)
+-			return xstrdup(s);
+-	}
+-	return NULL;
+-}
+-
+-static char **shell_name_completion(const char *text,
+-				    int start __attribute__((__unused__)),
+-				    int end __attribute__((__unused__)))
+-{
+-	rl_attempted_completion_over = 1;
+-	return rl_completion_matches(text, shell_name_generator);
+-}
+-#endif
+-
+ /*
+  *  parse_argv () --
+  *	parse the command line arguments, and fill in "pinfo" with any
+@@ -198,20 +166,14 @@ static char *ask_new_shell(char *question, char *oldshell)
+ {
+ 	int len;
+ 	char *ans = NULL;
+-#ifdef HAVE_LIBREADLINE
+-	rl_attempted_completion_function = shell_name_completion;
+-#else
+ 	size_t dummy = 0;
+-#endif
+
+ 	if (!oldshell)
+ 		oldshell = "";
+ 	printf("%s [%s]\n", question, oldshell);
+-#ifdef HAVE_LIBREADLINE
+-	if ((ans = readline("> ")) == NULL)
+-#else
+ 	if (getline(&ans, &dummy, stdin) < 0)
+-#endif
+ 		return NULL;
+
+ 	/* remove the newline at the end of ans. */
+ 	ltrim_whitespace((unsigned char *) ans);
+ 	len = rtrim_whitespace((unsigned char *) ans);
+-- 
+2.25.1
+
--- a/meta/recipes-core/util-linux/util-linux_2.35.1.bb
+++ b/meta/recipes-core/util-linux/util-linux_2.35.1.bb
@@ -15,6 +15,7 @@ SRC_URI += "file://configure-sbindir.patch \
            file://include-strutils-cleanup-strto-functions.patch \
            file://CVE-2021-3995.patch \
            file://CVE-2021-3996.patch \
+            file://CVE-2022-0563.patch \
 "
 SRC_URI[md5sum] = "7f64882f631225f0295ca05080cee1bf"
 SRC_URI[sha256sum] = "d9de3edd287366cd908e77677514b9387b22bc7b88f45b83e1922c3597f1d7f9"