From: Karel Zak Date: Mon, 14 Feb 2022 09:48:24 +0000 (+0100) Subject: docs: update v2.37.4-ReleaseNotes X-Git-Tag: v2.37.4~1 X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=0eb9b508787486d774320d00a74f2f306abb2c5a;p=thirdparty%2Futil-linux.git docs: update v2.37.4-ReleaseNotes Signed-off-by: Karel Zak --- diff --git a/Documentation/releases/v2.37.4-ReleaseNotes b/Documentation/releases/v2.37.4-ReleaseNotes new file mode 100644 index 0000000000..330ab09ce8 --- /dev/null +++ b/Documentation/releases/v2.37.4-ReleaseNotes @@ -0,0 +1,15 @@ +util-linux 2.37.4 Release Notes +=============================== + +This release fixes security issue in chsh(1) and chfn(8): + +CVE-2022-0563 + + The readline library uses INPUTRC= environment variable to get a path + to the library config file. When the library cannot parse the + specified file, it prints an error message containing data from the + file. + + Unfortunately, the library does not use secure_getenv() (or a similar + concept), or sanitize the config file path to avoid vulnerabilities that + could occur if set-user-ID or set-group-ID programs.