CVE request - sudoers on Red Hat, Fedora, Mageia information disclosure

[Doran Moppert <dmoppert () redhat com>]

The inclusion of "INPUTRC" in env_keep in /etc/sudoers allowed
information disclosure through readline-enabled programs parsing the
named file with elevated privileges.  Local users with sudo access could
read (portions of) specially-formatted files with elevated privileges.
Future versions of readline will make the vulnerability more significant
by showing error messages for malformed entries, rather than silently
ignoring them.

This flaw is distribution-specific - upstream sudo does not include
INPUTRC, and we are not aware at this time of any other distros that
include it.

The following packages address this issue:

        sudo-1.8.15-2.fc22
        sudo-1.8.15-2.fc23
        sudo-1.8.16-4.fc24
        sudo-1.8.17p1-1.mga5

This was brought to our attention by Grisha Levit.

https://bugzilla.redhat.com/show_bug.cgi?id=1339935

-- 
Doran Moppert
Red Hat Product Security

Attachment: _bin
Description: