Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp5928387pxb; Mon, 14 Feb 2022 10:55:46 -0800 (PST) X-Google-Smtp-Source: ABdhPJw69xR31ozF41oNun1lW5SJ9OUKduR04wuMiuhLBXKuystpYCwHSRfZR8g/RhWnkbPRdcmP X-Received: by 2002:a05:6a00:190a:: with SMTP id y10mr53100pfi.52.1644864945901; Mon, 14 Feb 2022 10:55:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644864945; cv=none; d=google.com; s=arc-20160816; b=r3LrAdr968QXIFQ8KgeVPQyfxZvF1t826pwOINs3wlKSXp9TDodEqBQ9vgDs5vvuFR ECUcQsVPrkWkm5Cn6be4jPCKk1iCqyG2+fW+zb/Px3/weeyZBeDlnBOGJCpXdEgHFOVz XgFej/CQEVVyYTqKnJPRFaI6ljs52EbXIJ0gBWSgpgg+4WMwaV2WraZuzG6dY3E/rbA0 FXEEKPhB78Ja3lah5teH+WihfC+TrkUvsV9pJO3dw0NVddCuuUHcHHVjMNw1nsXQT4MO NCsHRgJOvgM4adoG31ryC6KlHcArQnIjxgWuWVXq/6ofUEr929Waq68xDpjVXqt/Uiex 9uSg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-disposition:mime-version:message-id :subject:to:from:date:dkim-signature; bh=E/YpHuLzrUWFj5TanGTnC9HK9BdBVrDfvGFNAraLJPY=; b=lXZjeraqzPJIiYzpHtondtjw2bTift8XpkNKIYVHrpUr1+od9z4xsD9/sCL7HaPfg6 cSaox8Z4paAOM7dx3AOaQqpVvA/65IuQhPTckw2eb9VT5nGPGYI4JvKhr7Fw+a5ws2Qa N9fTDA8WD4lh6r5Li8kVR0PBE+KSpVHCcSpJ/NcDQi5MCxzHn4n7eGbqFmJNyukK4Fmz m8TZSSvw86ZxBaFv5pZMC9RB2Oy/9X5hGhO0pyiESSHc3RzNMM8mWXSVvAOWCYKCB+B+ FBzq4XDiyut0JMUxkK3uUuaNTuhOYalWAu0fA9k9UEiaPLK85xfHVVCEdxOnj+EmNwyF D9YQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Xyggv5Uj; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id d8si14433663plg.178.2022.02.14.10.55.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 14 Feb 2022 10:55:45 -0800 (PST) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Xyggv5Uj; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id BCDD2A9E08; Mon, 14 Feb 2022 10:54:46 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1351490AbiBNL2k (ORCPT + 99 others); Mon, 14 Feb 2022 06:28:40 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:57324 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1351237AbiBNL2a (ORCPT ); Mon, 14 Feb 2022 06:28:30 -0500 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id E8935CC7 for ; Mon, 14 Feb 2022 03:06:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1644836777; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=E/YpHuLzrUWFj5TanGTnC9HK9BdBVrDfvGFNAraLJPY=; b=Xyggv5UjSygDatRP5oPCnv4j3mZq1wIFX1+65h25lZu+BcZm+DNkDUPIuovMEBcltyT6su d1R9vdXwZLHj3NuaDvUcGVM6T+x1VhWINQTO3wYxFc7k2p6coSEXCOG9RxOiBqUxLhOrUX e7q1K3Mvc7re/4BooDcUotBDt5+ukbI= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-404-IGc_LG5PMPiiz7KszaeE2A-1; Mon, 14 Feb 2022 06:06:13 -0500 X-MC-Unique: IGc_LG5PMPiiz7KszaeE2A-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id C186C1091DA1; Mon, 14 Feb 2022 11:06:12 +0000 (UTC) Received: from ws.net.home (unknown [10.36.112.8]) by smtp.corp.redhat.com (Postfix) with ESMTPS id E81B66E1F8; Mon, 14 Feb 2022 11:06:11 +0000 (UTC) Date: Mon, 14 Feb 2022 12:06:09 +0100 From: Karel Zak To: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, util-linux@vger.kernel.org Subject: [ANNOUNCE] util-linux v2.37.4 Message-ID: <20220214110609.msiwlm457ngoic6w@ws.net.home> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The util-linux release v2.37.4 is available at http://www.kernel.org/pub/linux/utils/util-linux/v2.37/ Feedback and bug reports, as always, are welcomed. This release fixes security issue in chsh(1) and chfn(8) when util-linux compiled with libreadline. CVE-2022-0563 The readline library uses INPUTRC= environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. Unfortunately, the library does not use secure_getenv() (or a similar concept), or sanitize the config file path to avoid vulnerabilities that could occur if set-user-ID or set-group-ID programs. Note, this vulnerability has been reproduced on chfn(8), but this command requires enabled CHFN_RESTRICT setting in /etc/login.defs. This setting may be disabled by default. -- Karel Zak http://karelzak.blogspot.com