diff options
-rw-r--r-- | meta/recipes-core/util-linux/util-linux/CVE-2022-0563.patch | 161 | ||||
-rw-r--r-- | meta/recipes-core/util-linux/util-linux_2.35.1.bb | 1 |
2 files changed, 162 insertions, 0 deletions
diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2022-0563.patch b/meta/recipes-core/util-linux/util-linux/CVE-2022-0563.patch new file mode 100644 index 0000000000..54b496ea3f --- /dev/null +++ b/meta/recipes-core/util-linux/util-linux/CVE-2022-0563.patch @@ -0,0 +1,161 @@ +From faa5a3a83ad0cb5e2c303edbfd8cd823c9d94c17 Mon Sep 17 00:00:00 2001 +From: Karel Zak <kzak@redhat.com> +Date: Thu, 10 Feb 2022 12:03:17 +0100 +Subject: [PATCH] chsh, chfn: remove readline support [CVE-2022-0563] + +The readline library uses INPUTRC= environment variable to get a path +to the library config file. When the library cannot parse the +specified file, it prints an error message containing data from the +file. + +Unfortunately, the library does not use secure_getenv() (or a similar +concept) to avoid vulnerabilities that could occur if set-user-ID or +set-group-ID programs. + +Reported-by: Rory Mackie <rory.mackie@trailofbits.com> +Signed-off-by: Karel Zak <kzak@redhat.com> + +Upstream-status: Backport +https://github.com/util-linux/util-linux/commit/faa5a3a83ad0cb5e2c303edbfd8cd823c9d94c17 + +CVE: CVE-2022-0563 + +Signed-off-by: Steve Sakoman <steve@sakoman.com> + +--- + login-utils/Makemodule.am | 2 +- + login-utils/chfn.c | 16 +++------------ + login-utils/chsh.c | 42 ++------------------------------------- + 3 files changed, 6 insertions(+), 54 deletions(-) + +diff --git a/login-utils/Makemodule.am b/login-utils/Makemodule.am +index fac5bfc..73636af 100644 +--- a/login-utils/Makemodule.am ++++ b/login-utils/Makemodule.am +@@ -82,7 +82,7 @@ chfn_chsh_sources = \ + login-utils/ch-common.c + chfn_chsh_cflags = $(SUID_CFLAGS) $(AM_CFLAGS) + chfn_chsh_ldflags = $(SUID_LDFLAGS) $(AM_LDFLAGS) +-chfn_chsh_ldadd = libcommon.la $(READLINE_LIBS) ++chfn_chsh_ldadd = libcommon.la + + if CHFN_CHSH_PASSWORD + chfn_chsh_ldadd += -lpam +diff --git a/login-utils/chfn.c b/login-utils/chfn.c +index b739555..2f8e44a 100644 +--- a/login-utils/chfn.c ++++ b/login-utils/chfn.c +@@ -56,11 +56,6 @@ + # include "auth.h" + #endif + +-#ifdef HAVE_LIBREADLINE +-# define _FUNCTION_DEF +-# include <readline/readline.h> +-#endif +- + struct finfo { + char *full_name; + char *office; +@@ -229,22 +224,17 @@ static char *ask_new_field(struct chfn_control *ctl, const char *question, + { + int len; + char *buf; +-#ifndef HAVE_LIBREADLINE +- size_t dummy = 0; +-#endif + + if (!def_val) + def_val = ""; ++ + while (true) { + printf("%s [%s]: ", question, def_val); + __fpurge(stdin); +-#ifdef HAVE_LIBREADLINE +- rl_bind_key('\t', rl_insert); +- if ((buf = readline(NULL)) == NULL) +-#else ++ + if (getline(&buf, &dummy, stdin) < 0) +-#endif + errx(EXIT_FAILURE, _("Aborted.")); ++ + /* remove white spaces from string end */ + ltrim_whitespace((unsigned char *) buf); + len = rtrim_whitespace((unsigned char *) buf); +diff --git a/login-utils/chsh.c b/login-utils/chsh.c +index a9ebec8..ee6ff87 100644 +--- a/login-utils/chsh.c ++++ b/login-utils/chsh.c +@@ -58,11 +58,6 @@ + # include "auth.h" + #endif + +-#ifdef HAVE_LIBREADLINE +-# define _FUNCTION_DEF +-# include <readline/readline.h> +-#endif +- + struct sinfo { + char *username; + char *shell; +@@ -121,33 +116,6 @@ static void print_shells(void) + endusershell(); + } + +-#ifdef HAVE_LIBREADLINE +-static char *shell_name_generator(const char *text, int state) +-{ +- static size_t len; +- char *s; +- +- if (!state) { +- setusershell(); +- len = strlen(text); +- } +- +- while ((s = getusershell())) { +- if (strncmp(s, text, len) == 0) +- return xstrdup(s); +- } +- return NULL; +-} +- +-static char **shell_name_completion(const char *text, +- int start __attribute__((__unused__)), +- int end __attribute__((__unused__))) +-{ +- rl_attempted_completion_over = 1; +- return rl_completion_matches(text, shell_name_generator); +-} +-#endif +- + /* + * parse_argv () -- + * parse the command line arguments, and fill in "pinfo" with any +@@ -198,20 +166,14 @@ static char *ask_new_shell(char *question, char *oldshell) + { + int len; + char *ans = NULL; +-#ifdef HAVE_LIBREADLINE +- rl_attempted_completion_function = shell_name_completion; +-#else + size_t dummy = 0; +-#endif ++ + if (!oldshell) + oldshell = ""; + printf("%s [%s]\n", question, oldshell); +-#ifdef HAVE_LIBREADLINE +- if ((ans = readline("> ")) == NULL) +-#else + if (getline(&ans, &dummy, stdin) < 0) +-#endif + return NULL; ++ + /* remove the newline at the end of ans. */ + ltrim_whitespace((unsigned char *) ans); + len = rtrim_whitespace((unsigned char *) ans); +-- +2.25.1 + diff --git a/meta/recipes-core/util-linux/util-linux_2.35.1.bb b/meta/recipes-core/util-linux/util-linux_2.35.1.bb index 96d5eca518..89dc564ecb 100644 --- a/meta/recipes-core/util-linux/util-linux_2.35.1.bb +++ b/meta/recipes-core/util-linux/util-linux_2.35.1.bb @@ -15,6 +15,7 @@ SRC_URI += "file://configure-sbindir.patch \ file://include-strutils-cleanup-strto-functions.patch \ file://CVE-2021-3995.patch \ file://CVE-2021-3996.patch \ + file://CVE-2022-0563.patch \ " SRC_URI[md5sum] = "7f64882f631225f0295ca05080cee1bf" SRC_URI[sha256sum] = "d9de3edd287366cd908e77677514b9387b22bc7b88f45b83e1922c3597f1d7f9" |