|
From: | Grisha Levit |
Subject: | [Bug-readline] INPUTRC issues |
Date: | Tue, 24 May 2016 01:51:47 -0400 |
This issue seems fairly minor, but RHEL (and maybe others) allow INPUTRC through sudo by default so perhaps this warrants some attention.
Something silly like:
echo '$include /tmp/X' > /tmp/X
INPUTRC=/tmp/X sudo bash -c 'read -e'
Will segfault:
Program terminated with signal 11, Segmentation fault.
#0 0x00007f275ac948d7 in __GI___libc_malloc (address@hidden) at malloc.c:2895
2895 victim = _int_malloc(ar_ptr, bytes);
(gdb) bt
#0 0x00007f275ac948d7 in __GI___libc_malloc (address@hidden) at malloc.c:2895
#1 0x0000000000474e40 in xmalloc (address@hidden) at xmalloc.c:112
#2 0x00000000004bc6c3 in tilde_expand (address@hidden "/tmp/X") at ./tilde.c:202
(at slightly different places, depending on other directives in the file).
Since there is already current_readline_init_include_level, maybe implementing a max level for $include’s would be worthwhile.
The devel version of readline also has a lot more _rl_init_file_error calls that include portions of the parsed file, which would allow leaking portions of arbitrary file content. That’s probably more of a concern for sudo package maintainers though.
[Prev in Thread] | Current Thread | [Next in Thread] |