chsh, chfn: remove readline support [CVE-2022-0563]
The readline library uses INPUTRC= environment variable to get a path
to the library config file. When the library cannot parse the
specified file, it prints an error message containing data from the
file.
Unfortunately, the library does not use secure_getenv() (or a similar
concept) to avoid vulnerabilities that could occur if set-user-ID or
set-group-ID programs.
Reported-by: Rory Mackie <rory.mackie@trailofbits.com> Signed-off-by: Karel Zak <kzak@redhat.com>
projects / thirdparty / util-linux.git / commit
