Bug 995726 - (CVE-2016-7091) VUL-1: CVE-2016-7091: sudo: Possible info leak via INPUTRC
VUL-1: CVE-2016-7091: sudo: Possible info leak via INPUTRC
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Kristyna Streitova
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2016-08-26 07:33 UTC by Victor Pereira
Modified: 2016-11-11 15:23 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2016-08-26 07:33:11 UTC

It was found that malicious user can leak some information about arbitrary files by providing arbitrary value for INPUTRC, since the target application parses the INPUTRC file with the target user's privileges.

This kind of attack is in current version of readline limited to only timing attacks and leaks of line content matching a very particular format, but the next release will feature enhanced error reporting, making the disclosure more dangerous.  It is also possible to cause segmentation fault through stack exhaustion in the target application by having INPUTRC specify a file with an $include directive for itself.

SUSE SLE-12 and SLE-11, OpenSUSE Leap and Tumbleweed don't include by default INPUTRC in /etc/sudoers.  

INPUTRC should not be included in "env_keep" at all, or else somehow restricted to non-restricted shells (ie /bin/sh, /bin/bash).

Upstream bug:


Comment 1 Swamp Workflow Management 2016-08-26 22:00:12 UTC
bugbot adjusting priority
Comment 2 Alexander Bergmann 2016-08-30 15:20:27 UTC
As Victor already mentioned, INPUTRC is not part of the default env_keep string in /etc/sudoers in any SUSE product. Therefore changing this bug to VUL-1.
Comment 4 Kristyna Streitova 2016-11-11 14:43:11 UTC
We are not affected by this issue.

Closing as invalid.