Opened 8 months ago

Closed 8 months ago

#5010 closed enhancement (fixed)

util-linux-2.37.4

Reported by: Douglas R. Reno Owned by: lfs-book
Priority: high Milestone: 11.1
Component: Book Version: git
Severity: normal Keywords:
Cc:

Description

New point version, and a security release

util-linux 2.37.4 Release Notes
===============================

This release fixes security issue in chsh(1) and chfn(8):

CVE-2022-0563

  The readline library uses INPUTRC= environment variable to get a path
  to the library config file. When the library cannot parse the
  specified file, it prints an error message containing data from the
  file.
    
  Unfortunately, the library does not use secure_getenv() (or a similar
  concept), or sanitize the config file path to avoid vulnerabilities that
  could occur if set-user-ID or set-group-ID programs.

Change History (3)

comment:1 by Xi Ruoyao, 8 months ago

It seems we can remove "runstatedir=/run". It's now the default.

comment:2 by Bruce Dubbs, 8 months ago

OK, I'll do that.

comment:3 by Bruce Dubbs, 8 months ago

Resolution: fixed
Status: newclosed

Fixed at commit 6af4dabc16cc044f4d65372cdbd203310df08e20

Package updates and fixes.
    Add binutils-2.38 LTO patch.
    Update to util-linux-2.37.4.
    Update to man-db-2.10.1.
    Update to linux-5.16.9.
    Update to vim-8.2.4383.
    Update to iana-etc-20220207.
Note: See TracTickets for help on using tickets.