|Subject:||[Bug-readline] INPUTRC issues|
|Date:||Tue, 24 May 2016 01:51:47 -0400|
This issue seems fairly minor, but RHEL (and maybe others) allow INPUTRC through sudo by default so perhaps this warrants some attention.
Something silly like:
echo '$include /tmp/X' > /tmp/X INPUTRC=/tmp/X sudo bash -c 'read -e'
Program terminated with signal 11, Segmentation fault. #0 0x00007f275ac948d7 in __GI___libc_malloc (address@hidden) at malloc.c:2895 2895 victim = _int_malloc(ar_ptr, bytes); (gdb) bt #0 0x00007f275ac948d7 in __GI___libc_malloc (address@hidden) at malloc.c:2895 #1 0x0000000000474e40 in xmalloc (address@hidden) at xmalloc.c:112 #2 0x00000000004bc6c3 in tilde_expand (address@hidden "/tmp/X") at ./tilde.c:202
(at slightly different places, depending on other directives in the file).
Since there is already current_readline_init_include_level, maybe implementing a max level for $include’s would be worthwhile.
The devel version of readline also has a lot more _rl_init_file_error calls that include portions of the parsed file, which would allow leaking portions of arbitrary file content. That’s probably more of a concern for sudo package maintainers though.
|[Prev in Thread]||Current Thread||[Next in Thread]|