util-linux: fix CVE-2022-0563

A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4. Backport patch from upstream: https://github.com/util-linux/util-linux/commit/faa5a3a83ad0cb5e2c303edbfd8cd823c9d94c17 Patch required slight modifications to apply cleanly to util-linux 2.35.1 (From OE-Core rev: dffbf6301612ca91f6a1c306b9dde754b44912bb) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Steve Sakoman <steve@sakoman.com> 2022-03-28 08:33:20 -1000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-04-01 23:22:43 +0100
commit: 67f1490197bf59b0efeea62ed823d03eee5968cb (patch)
tree: a28b4e91a6557cf0580e3a9eb8907462a1e5d2c2 /meta
parent: 631df1296924e86a5170bdd6fe001294fdff6ead (diff)
download: poky-67f1490197bf59b0efeea62ed823d03eee5968cb.tar.gz
2 files changed, 162 insertions, 0 deletions
diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2022-0563.patch b/meta/recipes-core/util-linux/util-linux/CVE-2022-0563.patch
new file mode 100644
index 0000000000..54b496ea3f
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/CVE-2022-0563.patch
@@ -0,0 +1,161 @@
+From faa5a3a83ad0cb5e2c303edbfd8cd823c9d94c17 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Thu, 10 Feb 2022 12:03:17 +0100
+Subject: [PATCH] chsh, chfn: remove readline support [CVE-2022-0563]
+The readline library uses INPUTRC= environment variable to get a path
+to the library config file. When the library cannot parse the
+specified file, it prints an error message containing data from the
+file.
+Unfortunately, the library does not use secure_getenv() (or a similar
+concept) to avoid vulnerabilities that could occur if set-user-ID or
+set-group-ID programs.
+Reported-by: Rory Mackie <rory.mackie@trailofbits.com>
+Signed-off-by: Karel Zak <kzak@redhat.com>
+Upstream-status: Backport
+https://github.com/util-linux/util-linux/commit/faa5a3a83ad0cb5e2c303edbfd8cd823c9d94c17
+CVE: CVE-2022-0563
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+---
+ login-utils/Makemodule.am |  2 +-
+ login-utils/chfn.c        | 16 +++------------
+ login-utils/chsh.c        | 42 ++-------------------------------------
+ 3 files changed, 6 insertions(+), 54 deletions(-)
+diff --git a/login-utils/Makemodule.am b/login-utils/Makemodule.am
+index fac5bfc..73636af 100644
+--- a/login-utils/Makemodule.am
+++ b/login-utils/Makemodule.am
+@@ -82,7 +82,7 @@ chfn_chsh_sources = \
+        login-utils/ch-common.c
+ chfn_chsh_cflags = $(SUID_CFLAGS) $(AM_CFLAGS)
+ chfn_chsh_ldflags = $(SUID_LDFLAGS) $(AM_LDFLAGS)
+-chfn_chsh_ldadd = libcommon.la $(READLINE_LIBS)
+chfn_chsh_ldadd = libcommon.la
+ 
+ if CHFN_CHSH_PASSWORD
+ chfn_chsh_ldadd += -lpam
+diff --git a/login-utils/chfn.c b/login-utils/chfn.c
+index b739555..2f8e44a 100644
+--- a/login-utils/chfn.c
+++ b/login-utils/chfn.c
+@@ -56,11 +56,6 @@
+ # include "auth.h"
+ #endif
+ 
+-#ifdef HAVE_LIBREADLINE
+-# define _FUNCTION_DEF
+-# include <readline/readline.h>
+-#endif
+-
+ struct finfo {
+        char *full_name;
+        char *office;
+@@ -229,22 +224,17 @@ static char *ask_new_field(struct chfn_control *ctl, const char *question,
+ {
+        int len;
+        char *buf;
+-#ifndef HAVE_LIBREADLINE
+-       size_t dummy = 0;
+-#endif
+ 
+        if (!def_val)
+                def_val = "";
+
+        while (true) {
+                printf("%s [%s]: ", question, def_val);
+                __fpurge(stdin);
+-#ifdef HAVE_LIBREADLINE
+-               rl_bind_key('\t', rl_insert);
+-               if ((buf = readline(NULL)) == NULL)
+-#else
+
+                if (getline(&buf, &dummy, stdin) < 0)
+-#endif
+                        errx(EXIT_FAILURE, _("Aborted."));
+
+                /* remove white spaces from string end */
+                ltrim_whitespace((unsigned char *) buf);
+                len = rtrim_whitespace((unsigned char *) buf);
+diff --git a/login-utils/chsh.c b/login-utils/chsh.c
+index a9ebec8..ee6ff87 100644
+--- a/login-utils/chsh.c
+++ b/login-utils/chsh.c
+@@ -58,11 +58,6 @@
+ # include "auth.h"
+ #endif
+ 
+-#ifdef HAVE_LIBREADLINE
+-# define _FUNCTION_DEF
+-# include <readline/readline.h>
+-#endif
+-
+ struct sinfo {
+        char *username;
+        char *shell;
+@@ -121,33 +116,6 @@ static void print_shells(void)
+        endusershell();
+ }
+ 
+-#ifdef HAVE_LIBREADLINE
+-static char *shell_name_generator(const char *text, int state)
+-{
+-       static size_t len;
+-       char *s;
+-
+-       if (!state) {
+-               setusershell();
+-               len = strlen(text);
+-       }
+-
+-       while ((s = getusershell())) {
+-               if (strncmp(s, text, len) == 0)
+-                       return xstrdup(s);
+-       }
+-       return NULL;
+-}
+-
+-static char **shell_name_completion(const char *text,
+-                                   int start __attribute__((__unused__)),
+-                                   int end __attribute__((__unused__)))
+-{
+-       rl_attempted_completion_over = 1;
+-       return rl_completion_matches(text, shell_name_generator);
+-}
+-#endif
+-
+ /*
+  *  parse_argv () --
+  *     parse the command line arguments, and fill in "pinfo" with any
+@@ -198,20 +166,14 @@ static char *ask_new_shell(char *question, char *oldshell)
+ {
+        int len;
+        char *ans = NULL;
+-#ifdef HAVE_LIBREADLINE
+-       rl_attempted_completion_function = shell_name_completion;
+-#else
+        size_t dummy = 0;
+-#endif
+
+        if (!oldshell)
+                oldshell = "";
+        printf("%s [%s]\n", question, oldshell);
+-#ifdef HAVE_LIBREADLINE
+-       if ((ans = readline("> ")) == NULL)
+-#else
+        if (getline(&ans, &dummy, stdin) < 0)
+-#endif
+                return NULL;
+
+        /* remove the newline at the end of ans. */
+        ltrim_whitespace((unsigned char *) ans);
+        len = rtrim_whitespace((unsigned char *) ans);
+-- 
+2.25.1
diff --git a/meta/recipes-core/util-linux/util-linux_2.35.1.bb b/meta/recipes-core/util-linux/util-linux_2.35.1.bb
index 96d5eca518..89dc564ecb 100644
--- a/meta/recipes-core/util-linux/util-linux_2.35.1.bb
+++ b/meta/recipes-core/util-linux/util-linux_2.35.1.bb
@@ -15,6 +15,7 @@ SRC_URI += "file://configure-sbindir.patch \
            file://include-strutils-cleanup-strto-functions.patch \
            file://CVE-2021-3995.patch \
            file://CVE-2021-3996.patch \
+            file://CVE-2022-0563.patch \
 "
 SRC_URI[md5sum] = "7f64882f631225f0295ca05080cee1bf"
 SRC_URI[sha256sum] = "d9de3edd287366cd908e77677514b9387b22bc7b88f45b83e1922c3597f1d7f9"
author	Steve Sakoman <steve@sakoman.com>	2022-03-28 08:33:20 -1000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-04-01 23:22:43 +0100
commit	67f1490197bf59b0efeea62ed823d03eee5968cb (patch)
tree	a28b4e91a6557cf0580e3a9eb8907462a1e5d2c2 /meta
parent	631df1296924e86a5170bdd6fe001294fdff6ead (diff)
download	poky-67f1490197bf59b0efeea62ed823d03eee5968cb.tar.gz

diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2022-0563.patch b/meta/recipes-core/util-linux/util-linux/CVE-2022-0563.patch new file mode 100644 index 0000000000..54b496ea3f --- /dev/null +++ b/meta/recipes-core/util-linux/util-linux/CVE-2022-0563.patch
@@ -0,0 +1,161 @@
		1	From faa5a3a83ad0cb5e2c303edbfd8cd823c9d94c17 Mon Sep 17 00:00:00 2001
		2	From: Karel Zak <kzak@redhat.com>
		3	Date: Thu, 10 Feb 2022 12:03:17 +0100
		4	Subject: [PATCH] chsh, chfn: remove readline support [CVE-2022-0563]
		5
		6	The readline library uses INPUTRC= environment variable to get a path
		7	to the library config file. When the library cannot parse the
		8	specified file, it prints an error message containing data from the
		9	file.
		10
		11	Unfortunately, the library does not use secure_getenv() (or a similar
		12	concept) to avoid vulnerabilities that could occur if set-user-ID or
		13	set-group-ID programs.
		14
		15	Reported-by: Rory Mackie <rory.mackie@trailofbits.com>
		16	Signed-off-by: Karel Zak <kzak@redhat.com>
		17
		18	Upstream-status: Backport
		19	https://github.com/util-linux/util-linux/commit/faa5a3a83ad0cb5e2c303edbfd8cd823c9d94c17
		20
		21	CVE: CVE-2022-0563
		22
		23	Signed-off-by: Steve Sakoman <steve@sakoman.com>
		24
		25	---
		26	login-utils/Makemodule.am \| 2 +-
		27	login-utils/chfn.c \| 16 +++------------
		28	login-utils/chsh.c \| 42 ++-------------------------------------
		29	3 files changed, 6 insertions(+), 54 deletions(-)
		30
		31	diff --git a/login-utils/Makemodule.am b/login-utils/Makemodule.am
		32	index fac5bfc..73636af 100644
		33	--- a/login-utils/Makemodule.am
		34	+++ b/login-utils/Makemodule.am
		35	@@ -82,7 +82,7 @@ chfn_chsh_sources = \
		36	login-utils/ch-common.c
		37	chfn_chsh_cflags = $(SUID_CFLAGS) $(AM_CFLAGS)
		38	chfn_chsh_ldflags = $(SUID_LDFLAGS) $(AM_LDFLAGS)
		39	-chfn_chsh_ldadd = libcommon.la $(READLINE_LIBS)
		40	+chfn_chsh_ldadd = libcommon.la
		41
		42	if CHFN_CHSH_PASSWORD
		43	chfn_chsh_ldadd += -lpam
		44	diff --git a/login-utils/chfn.c b/login-utils/chfn.c
		45	index b739555..2f8e44a 100644
		46	--- a/login-utils/chfn.c
		47	+++ b/login-utils/chfn.c
		48	@@ -56,11 +56,6 @@
		49	# include "auth.h"
		50	#endif
		51
		52	-#ifdef HAVE_LIBREADLINE
		53	-# define _FUNCTION_DEF
		54	-# include <readline/readline.h>
		55	-#endif
		56	-
		57	struct finfo {
		58	char *full_name;
		59	char *office;
		60	@@ -229,22 +224,17 @@ static char ask_new_field(struct chfn_control ctl, const char *question,
		61	{
		62	int len;
		63	char *buf;
		64	-#ifndef HAVE_LIBREADLINE
		65	- size_t dummy = 0;
		66	-#endif
		67
		68	if (!def_val)
		69	def_val = "";
		70	+
		71	while (true) {
		72	printf("%s [%s]: ", question, def_val);
		73	__fpurge(stdin);
		74	-#ifdef HAVE_LIBREADLINE
		75	- rl_bind_key('\t', rl_insert);
		76	- if ((buf = readline(NULL)) == NULL)
		77	-#else
		78	+
		79	if (getline(&buf, &dummy, stdin) < 0)
		80	-#endif
		81	errx(EXIT_FAILURE, _("Aborted."));
		82	+
		83	/* remove white spaces from string end */
		84	ltrim_whitespace((unsigned char *) buf);
		85	len = rtrim_whitespace((unsigned char *) buf);
		86	diff --git a/login-utils/chsh.c b/login-utils/chsh.c
		87	index a9ebec8..ee6ff87 100644
		88	--- a/login-utils/chsh.c
		89	+++ b/login-utils/chsh.c
		90	@@ -58,11 +58,6 @@
		91	# include "auth.h"
		92	#endif
		93
		94	-#ifdef HAVE_LIBREADLINE
		95	-# define _FUNCTION_DEF
		96	-# include <readline/readline.h>
		97	-#endif
		98	-
		99	struct sinfo {
		100	char *username;
		101	char *shell;
		102	@@ -121,33 +116,6 @@ static void print_shells(void)
		103	endusershell();
		104	}
		105
		106	-#ifdef HAVE_LIBREADLINE
		107	-static char shell_name_generator(const char text, int state)
		108	-{
		109	- static size_t len;
		110	- char *s;
		111	-
		112	- if (!state) {
		113	- setusershell();
		114	- len = strlen(text);
		115	- }
		116	-
		117	- while ((s = getusershell())) {
		118	- if (strncmp(s, text, len) == 0)
		119	- return xstrdup(s);
		120	- }
		121	- return NULL;
		122	-}
		123	-
		124	-static char *shell_name_completion(const char text,
		125	- int start __attribute__((__unused__)),
		126	- int end __attribute__((__unused__)))
		127	-{
		128	- rl_attempted_completion_over = 1;
		129	- return rl_completion_matches(text, shell_name_generator);
		130	-}
		131	-#endif
		132	-
		133	/*
		134	* parse_argv () --
		135	* parse the command line arguments, and fill in "pinfo" with any
		136	@@ -198,20 +166,14 @@ static char ask_new_shell(char question, char *oldshell)
		137	{
		138	int len;
		139	char *ans = NULL;
		140	-#ifdef HAVE_LIBREADLINE
		141	- rl_attempted_completion_function = shell_name_completion;
		142	-#else
		143	size_t dummy = 0;
		144	-#endif
		145	+
		146	if (!oldshell)
		147	oldshell = "";
		148	printf("%s [%s]\n", question, oldshell);
		149	-#ifdef HAVE_LIBREADLINE
		150	- if ((ans = readline("> ")) == NULL)
		151	-#else
		152	if (getline(&ans, &dummy, stdin) < 0)
		153	-#endif
		154	return NULL;
		155	+
		156	/* remove the newline at the end of ans. */
		157	ltrim_whitespace((unsigned char *) ans);
		158	len = rtrim_whitespace((unsigned char *) ans);
		159	--
		160	2.25.1
		161


diff --git a/meta/recipes-core/util-linux/util-linux_2.35.1.bb b/meta/recipes-core/util-linux/util-linux_2.35.1.bb index 96d5eca518..89dc564ecb 100644 --- a/meta/recipes-core/util-linux/util-linux_2.35.1.bb +++ b/meta/recipes-core/util-linux/util-linux_2.35.1.bb
@@ -15,6 +15,7 @@ SRC_URI += "file://configure-sbindir.patch \
15	file://include-strutils-cleanup-strto-functions.patch \	15	file://include-strutils-cleanup-strto-functions.patch \
16	file://CVE-2021-3995.patch \	16	file://CVE-2021-3995.patch \
17	file://CVE-2021-3996.patch \	17	file://CVE-2021-3996.patch \
		18	file://CVE-2022-0563.patch \
18	"	19	"
19	SRC_URI[md5sum] = "7f64882f631225f0295ca05080cee1bf"	20	SRC_URI[md5sum] = "7f64882f631225f0295ca05080cee1bf"
20	SRC_URI[sha256sum] = "d9de3edd287366cd908e77677514b9387b22bc7b88f45b83e1922c3597f1d7f9"	21	SRC_URI[sha256sum] = "d9de3edd287366cd908e77677514b9387b22bc7b88f45b83e1922c3597f1d7f9"